Multiple vulnerabilities have been identified in Symantec Backup Exec for Windows Servers, which could be exploited by attackers to bypass security restrictions, overwrite arbitrary files, or take complete control of an affected system.
The first issue is caused by buffer overflow errors in the PVATLCalendar.PVCalendar.1 (pvcalendar.ocx) ActiveX control when handling overly long arguments passed to various properties (e.g. "_DOWText0" to "_DOWText6", or "_MonthText0" to "_MonthText11") while calling the "Save()" method, which could be exploited by malicious web sites to crash an affected browser or execute arbitrary code.
The second vulnerability is caused by a design error in the PVATLCalendar.PVCalendar.1 (pvcalendar.ocx) ActiveX control that includes the insecure "Save()" method, which could be exploited by malicious web sites to overwrite and corrupt arbitrary files, or save malicious scripts to an arbitrary location on a vulnerable system.
Note: To exploit these vulnerabilities, an attacker would need to be aware of the exact path to the vulnerable control and be able to effectively entice a user to upload and execute malicious scripts via HTML email or visit a malicious web site hosting specially crafted code.
Credits
Vulnerabilities reported by JJ Reyes (Secunia Research).
ChangeLog
2008-02-29 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
