CVE-2007-6017 in Backup Execinfo

Summary

by MITRE

The PVATLCalendar.PVCalendar.1 ActiveX control in pvcalendar.ocx in the scheduler component in the Media Server in Symantec Backup Exec for Windows Server (BEWS) 11d 11.0.6235 and 11.0.7170, and 12.0 12.0.1364, exposes the unsafe Save method, which allows remote attackers to cause a denial of service (browser crash), or create or overwrite arbitrary files, via string values of the (1) _DOWText0, (2) _DOWText1, (3) _DOWText2, (4) _DOWText3, (5) _DOWText4, (6) _DOWText5, (7) _DOWText6, (8) _MonthText0, (9) _MonthText1, (10) _MonthText2, (11) _MonthText3, (12) _MonthText4, (13) _MonthText5, (14) _MonthText6, (15) _MonthText7, (16) _MonthText8, (17) _MonthText9, (18) _MonthText10, and (19) _MonthText11 properties. NOTE: the vendor states "Authenticated user involvement required," but authentication is not needed to attack a client machine that loads this control.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/02/2025

The CVE-2007-6017 vulnerability represents a critical ActiveX control flaw in Symantec Backup Exec for Windows Server versions 11d and 12.0, specifically within the PVATLCalendar.PVCalendar.1 component. This vulnerability stems from the unsafe implementation of the Save method in the pvcalendar.ocx file, which exposes multiple string properties that can be manipulated by remote attackers. The affected properties include various day of week and month text parameters, creating a wide attack surface for potential exploitation. The vulnerability is particularly concerning because it operates at the client-side ActiveX control level, where browser security boundaries are often more relaxed than server-side protections, making it accessible to attackers without requiring authentication to the target system.

The technical flaw manifests through the unsafe handling of user-supplied string values in the calendar control's properties, which are directly passed to the Save method without proper validation or sanitization. When these properties receive malicious input, the control attempts to write data to arbitrary file paths on the victim's system, potentially overwriting existing files or creating new ones with attacker-controlled content. This behavior constitutes a classic file system manipulation vulnerability that can lead to both denial of service conditions through browser crashes and more severe persistent attacks. The vulnerability's impact extends beyond simple file manipulation as it allows attackers to potentially place malicious code in system directories, leveraging the trust relationships inherent in ActiveX controls to execute arbitrary operations with the privileges of the user running the browser.

The operational impact of this vulnerability is significant for organizations running affected Symantec Backup Exec versions, as it creates a persistent attack vector that can be exploited through web-based delivery mechanisms. Attackers can craft malicious web pages or email attachments that, when viewed in vulnerable browsers, automatically trigger the exploitation of the ActiveX control. The fact that authentication is not required for client-side exploitation means that the attack surface is extremely broad, potentially affecting any user who visits a compromised website or opens a malicious document containing the vulnerable control. This vulnerability directly maps to CWE-74, which describes improper neutralization of special elements in output used by a downstream component, and also aligns with ATT&CK technique T1195.002 for Content Injection attacks. The vulnerability's characteristics also relate to T1059 for command and scripting interpreter execution, as successful exploitation could enable attackers to execute arbitrary code on the victim's system.

Organizations should immediately implement mitigations including disabling ActiveX controls in web browsers, particularly for known vulnerable components, and deploying network-based protections such as web application firewalls that can detect and block exploitation attempts. The most effective long-term solution involves upgrading to patched versions of Symantec Backup Exec, as the vendor has addressed this vulnerability in subsequent releases. Additionally, security awareness training should emphasize the dangers of visiting untrusted websites or opening suspicious email attachments, as these remain the primary delivery mechanisms for ActiveX-based exploits. Network segmentation and privilege separation can help limit the potential impact if exploitation occurs, while regular security assessments should verify that no vulnerable ActiveX controls remain installed on client systems. The vulnerability also underscores the importance of maintaining current security patches and implementing comprehensive application whitelisting policies to prevent unauthorized ActiveX control execution.

Sources

Want to know what is going to be exploited?

We predict KEV entries!