Summary
Name: Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Release Date: 20 August 2012
Reference: NGS00340
Discoverer: Matt Lewis
Vendor: Symantec
CVE Reference: CVE-2013-4676
Systems Affected: Symantec Backup Exec 2012
Risk: High
Status: Released
TimeLine
Discovered: 6 July 2012
Released: 6 July 2012
Approved: 6 July 2012
Reported: 6 July 2012
Fixed: 1 August 2013
Published: 30 September 2013
Description
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding groups, Servers and Computers
I. VULNERABILITY
The Symantec Backup Exec 2012 Utility program which ships with the product
(BEUtility.exe) is vulnerable to stored XSS. This is exploitable by anyone
with execution privileges on the BEUtility.exe program.
Javascript can be directly inserted into the name fields when adding
groups, servers and computers. The javascript is persistent and the XSS
vectors are re-exploited each time a user opens the utility and clicks on
the affected group, server or computer in the navigation pane.
II. Background
Symantec Backup Exec 2012 is an enterprise-level backup solution. The
affected version of BEUtility.exe is 14.0 Rev. 1798.
III. Description
Stored XSS vulnerabilities have been found and confirmed within the
BEUtility.exe application. The application can ordinarily be found at
C:Program FilesSymantecBackup ExecBEUtility.exe
Technical Details
-The Symantec Backup Exec Utility can typically be found in C:Program FilesSymantecBackup ExecBEUtility.exe.
-When the application is launched, create a new backup exec server group
- In the text field add in javascript
-This creates a persistent XSS attack vector – each time a user launches the utility and clicks on the group item in the navigation pane, the XSS vulnerability is exploited
-It is also possible to insert script tags when adding new Servers and Computers
Fix Information
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory pvid=security_advisory year= suid=20130801_00