CVE-2004-1172

Veritas Backup Exec 8.x-9.x - Stack-Based Buffer Overflow via Long Hostname in Agent Browser Registration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-1172. PoCs published by Metasploit, class101, hdm, including Metasploit module exploits/windows/backupexec/name_service.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in Veritas Backup Exec's Name Service (CVE-2004-1172) by sending a maliciously crafted agent registration request. It uses a staged payload approach to bypass space constraints, first executing a small findsock shellcode to receive and execute the full payload.

Description

Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16331

This Metasploit module exploits a stack-based buffer overflow in Veritas Backup Exec's Name Service (CVE-2004-1172) by sending a maliciously crafted agent registration request. It uses a staged payload approach to bypass space constraints, first executing a small findsock shellcode to receive and execute the full payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Veritas Backup Exec 9.1 SP0/SP1, 8.5
No auth needed
Prerequisites: Network access to the target's Backup Exec Name Service (port 6101)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by class101 · cremotewindows
https://www.exploit-db.com/exploits/750

This exploit targets a remote stack overflow in VERITAS Backup Exec Agent Browser Service (CVE-2004-1172). It uses a two-stage shellcode approach to achieve reliable exploitation across multiple Windows versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: VERITAS Backup Exec v9.1.4691.SP1, v9.1.4691.SP0, v8.5.3572
No auth needed
Prerequisites: Network access to the target's Agent Browser Service (port 10000)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/backupexec/name_service.rb

This Metasploit module exploits a stack-based buffer overflow in Veritas Backup Exec's Name Service (CVE-2004-1172) by sending a maliciously crafted agent registration request. It uses a two-stage payload: a small findsock stub to locate the socket and receive the full shellcode, followed by the actual payload execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Veritas Backup Exec 9.1 SP0/SP1, 8.5
No auth needed
Prerequisites: Network access to the target's Name Service (port 6101)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Various Sources x_refsource_confirm
http://seer.support.veritas.com/docs/273419.htm
Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11974
Various Sources x_refsource_confirm
http://seer.support.veritas.com/docs/273850.htm
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/907729
Various Sources x_refsource_confirm
http://seer.support.veritas.com/docs/273422.htm
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/13495/
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18506
Various Sources x_refsource_confirm
http://seer.support.veritas.com/docs/273420.htm
Various Sources third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=169

Scores

EPSS 0.8179
EPSS Percentile 99.6%

Details

Status published
Products (5)
symantec_veritas/backup_exec 8.0
symantec_veritas/backup_exec 8.5
symantec_veritas/backup_exec 8.6
symantec_veritas/backup_exec 9.0
symantec_veritas/backup_exec 9.1
Published Jan 10, 2005
Tracked Since Feb 18, 2026