6922830 2001-08-17 09:32 +0100  /348 rader/  <quentyn@fotango.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-17  16:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18812>
Ärende: Arkeia Possible remote root & information leakage
------------------------------------------------------------
From: quentyn@fotango.com
To: bugtraq@securityfocus.com
Message-ID: <3B7CD688.D0A63663@fotango.com>

Arkeia (4.2 - other versions not tested) Possible remote root &
information leakage

## Sumary

Arkeia (www.arkeia.com) is (from their webpage):

"Arkeia simplifies data protection by providing automated backup and
recovery.The system supports a wide variety of computers, operating
systems and storage devices. It is easy to install, configure and
use.It is fast, reliable and scales from a few systems to an
enterprise."


The client-gui <-> server communication is not encrypted by default (
the passwords are - see later ) and a wealth of interesting
information is sent in the clear. The information sent by the
client-gui could easily lead to remote root  comprimise

## Tools

Arkeia 4.2.8-2 server (RH linux 6.2) default install from RPM

client-gui arkeia-gui-4.2.7-1 (RH linux 7.1) default install from RPM

Ethereal (0.8-16)

##Scenario

Client logs into the server in the normal way. Person sniff's the
traffic between the client-gui and server. 

##Problem

Many installations of arkeia will be installed on remote sites and
controlled remotely via the client-gui (available for most
architectures).  The client-gui (see above for versions tested)
appears not to communicate in a secure way with the server, possibly
allowing an attacker to compromise an arkeia account.
 
By default the security options in /usr/knox/nlp/auth* are not
activated. These options do not appear to change encryption options.
  

Encryption I believe [1]  costs extra. 

NB

in the default install /usr/knox/ is mode 755 (see BID 3085 -
chomoding to 750 root:root solves this ).

Also by default the "root" (the default administrator account) account
password is set to null

see the file  "/usr/knox/arkx/arkxgb.hlp" in a default RPM install

here is a quote from the arkeia client-gui ( in the help screen )

<quote>
Arkeia's initial logon configuration is described below:

   1) Server: (as specified during installation procedure)
   2) Login: root
   3) Password: (no password)
</quote>

if this product was installed in a non secured environment there could
be a "race condition" to see who could set the password first




## Problem Detail

password is hashed with the crypt function with a constant salt ( the
characters "n3" ) - 8 character passwords maximum

Authentication sucess / failure info sent in the clear

License Information - full set of license information is sent in the
clear ( including version, serial, organization, Key, expiry and type
of drive the product is license for) .

Username - Username and role is sent in the clear (so that you know
which account to compromise)

## Proof
 
#weak passwords (network packet dumps from ethreal - xena is the arkeia
server)

0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
Ðx.s..E.
0010  00 9b 86 ea 40 00 40 06  2f 47 c0 a8 01 33 c0 a8   ...ê@.@.
/Gˬ.3ˬ
0020  01 a8 04 01 02 69 0d 92  7e 0f 1c 9e 41 36 80 18   .¨...i..
~...A6..
0030  29 e0 a9 27 00 00 01 01  08 0a 01 90 10 14 60 b8   )à©'....
......`¸
0040  48 b3 00 69 00 01 00 00  00 5f 4c 00 49 4e 4f 44   H³.i....
._L.INOD
0050  45 00 78 65 6e 61 00 49  50 41 53 53 57 4f 52 44   E.xena.I
PASSWORD
0060  00 6e 33 56 32 57 6f 63  58 4d 39 33 41 6b 00 49   .n3V2Woc
XM93Ak.I
0070  4e 41 4d 45 00 72 6f 6f  74 00 49 45 4d 41 49 4c   NAME.roo
t.IEMAIL
0080  00 61 72 6b 65 69 61 40  66 6f 74 61 6e 67 6f 2e   .arkeia@
fotango.
0090  63 6f 6d 00 49 52 4f 4c  45 00 41 44 4d 49 4e 49   com.IROL
E.ADMINI
00a0  53 54 52 41 54 4f 52 00  45                        STRATOR. E     

The above packet contains the password "password" hashed to
n3V2WocXM93Ak, the packet below contains the password "letmein" hashed
to n3LGeVp5KwvfE.

0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
Ðx.s..E.
0010  00 63 89 55 40 00 40 06  2d 14 c0 a8 01 33 c0 a8   .c.U@.@.
-.ˬ.3ˬ
0020  01 a8 04 01 02 69 e1 07  51 3c ee 26 bc b6 80 18   .¨...iá.
Q<î&¼¶..
0030  16 d0 d7 4d 00 00 01 01  08 0a 01 6f d9 fa 60 98   .Ð×M....
...oÙú`.
0040  11 ea 00 61 00 02 00 00  00 27 72 6f 6f 74 00 6e   .ê.a....
.'root.n
0050  33 35 56 57 4f 45 55 51  76 57 74 63 00 39 39 37  
n3LGeVp5KwvfE.997
0060  34 33 35 30 34 37 00 00  00 00 00 00 00 00 00 00   435047..
........
0070  00      


now if you look at the hashes ( n3V2WocXM93Ak and n3LGeVp5KwvfE)  you
notice that the string n3 appears at the front.... (this is common to
all passwords that it sends)

so lets see how they have encrypted it ( crypt? ) 
so lets try:

perl -e 'print crypt "password", "n3"'  gives   n3V2WocXM93Ak and 

perl -e 'print crypt "letmein", "n3"'   gives n3LGeVp5KwvfE

so there we have it they use crypt with a constant salt of "n3"       

this has been verified with both the linux gui client and the MS java
version (on win2k)

Problems inherent with this scheme: 8 character max passwords (ie)
setting the password to:
passwordpassword gives 


0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
Ðx.s..E.
0010  00 63 6a 83 40 00 40 06  4b e6 c0 a8 01 33 c0 a8   .cj.@.@.
KæÀ¨.3À¨
0020  01 a8 04 01 02 69 e9 4e  1d 1b f6 f2 a5 d0 80 18   .¨...iéN
..öò¥Ð..
0030  16 d0 4c e6 00 00 01 01  08 0a 01 7c 76 ea 60 a4   .ÐLæ....
...|vê`¤
0040  af 1e 00 61 00 02 00 00  00 27 72 6f 6f 74 00 6e   ¯..a....
.'root.n
0050  33 56 32 57 6f 63 58 4d  39 33 41 6b 00 39 39 37   3V2WocXM
93Ak.997
0060  34 34 33 33 31 33 00 00  00 00 00 00 00 00 00 00   443313..
........


so allthough you may be using passwords >8 for your root passwords
arkeia (which is a root level service) only uses 8.


#Authentication info sent in the clear + roles listed in the clear

0000  00 b0 d0 78 96 73 00 b0  d0 22 e2 d0 08 00 45 00   .°Ðx.s.°
Ð"âÐ..E.
0010  01 16 83 77 40 00 40 06  32 3f c0 a8 01 a8 c0 a8   ...w@.@.
2?À¨.¨À¨
0020  01 33 02 69 04 01 ee 26  bc eb e1 07 51 a5 80 18   .3.i..î&
¼ëá.Q¥..
0030  fe 88 b2 9c 00 00 01 01  08 0a 60 98 11 ee 01 6f   þ.².....
..`..î.o
0040  d9 ff 00 68 00 01 00 00  00 04 00 00 00 00 00 65   Ùÿ.h....
.......e
0050  00 01 00 00 00 66 32 30  30 31 2f 30 38 2f 31 30   .....f20
01/08/10
0060  20 31 30 3a 32 31 3a 30  32 20 49 33 30 31 35 30    10:21:0 2
I30150
0070  30 32 30 20 55 53 52 5f  56 41 4c 49 44 41 54 45   020 USR_
VALIDATE
0080  3a 20 59 6f 75 20 68 61  76 65 20 73 75 63 63 65   : You ha ve
succe
0090  73 73 66 75 6c 6c 79 20  6c 6f 61 64 65 64 20 74   ssfully  loaded
t
00a0  68 65 20 63 75 72 72 65  6e 74 20 75 73 65 72 20   he curre nt
user 
00b0  69 6e 66 6f 72 6d 61 74  69 6f 6e 00 00 69 00 01   informat
ion..i..
00c0  00 00 00 60 4c 00 54 50  4e 41 4d 45 00 72 6f 6f   ...`L.TP
NAME.roo
00d0  74 00 50 52 4f 4c 45 00  41 44 4d 49 4e 49 53 54   t.PROLE.
ADMINIST
00e0  52 41 54 4f 52 00 50 50  41 53 53 57 4f 52 44 00   RATOR.PP
ASSWORD.
00f0  6e 33 35 56 57 4f 45 55  51 76 57 74 63 00 50 4e   n35VWOEU
QvWtc.PN
0100  4f 44 45 00 78 65 6e 61  00 50 45 4d 41 49 4c 00   ODE.xena
.PEMAIL.
0110  61 72 6b 65 69 61 40 66  6f 74 61 6e 67 6f 2e 63   arkeia@f
otango.c
0120  6f 6d 00 45                                       
om.E   

notice the password just when past again          

# License Information (the actual license numbers have been removed)

0000  00 b0 d0 78 96 73 00 b0  d0 22 e2 d0 08 00 45 00   .°Ðx.s.°
Ð"âÐ..E.
0010  01 40 83 87 40 00 40 06  32 05 c0 a8 01 a8 c0 a8   .@..@.@.
2.À¨.¨À¨
0020  01 33 02 69 04 01 ee 26  bd fa e1 07 51 f0 80 18   .3.i..î&
½úá.Qð..
0030  fe 88 d2 ee 00 00 01 01  08 0a 60 98 11 fa 01 6f   þ.Òî....
..`..ú.o
0040  da 0b 00 68 00 01 00 00  00 04 00 00 00 00 00 65   Ú..h....
.......e
0050  00 01 00 00 00 5b 32 30  30 31 2f 30 38 2f 31 30   .....[20
01/08/10
0060  20 31 30 3a 32 31 3a 30  32 20 57 33 30 31 35 30    10:21:0 2
W30150
0070  31 33 30 20 4c 49 43 45  4e 53 45 5f 47 45 54 3a   130 LICE
NSE_GET:
0080  20 54 68 69 73 20 76 65  72 73 69 6f 6e 20 6f 66    This ve rsion
of
0090  20 41 72 6b 65 69 61 20  69 73 20 6c 69 63 65 6e    Arkeia  is
licen
00a0  73 65 64 20 74 6f 20 27  46 4f 54 41 4e 47 4f 27   sed to '
FOTANGO'
00b0  00 00 69 00 01 00 00 00  95 4c 00 49 4c 49 43 45   ..i.....
.L.ILICE
00c0  4e 53 45 00 41 52 4b 34  32 00 49 53 45 52 49 41   NSE.ARK4
2.ISERIA
00d0  4c 00 54 45 39 32 47 52  31 48 52 48 4e 44 50 4e   ${OUR SERIAL}
00e0  00 49 4f 52 47 41 4e 49  53 41 54 49 4f 4e 00 46   .IORGANI
SATION.F
00f0  4f 54 41 4e 47 4f 00 49  4b 45 59 00 58 58 58 55   OTANGO.I
KEY.${OUR KEY}
0100  33 58 45 35 59 4e 38 56  34 33 00 49 4f 50 54 49   
43.IOPTI
0110  4f 4e 00 35 33 00 49 45  58 50 49 52 59 00 30 00   ON.53.IE
XPIRY.0.
0120  49 44 52 49 56 45 00 32  00 49 46 4c 4f 57 34 00   IDRIVE.2
.IFLOW4.
0130  32 00 49 46 4c 4f 57 33  00 30 00 49 46 4c 4f 57   2.IFLOW3
.0.IFLOW
0140  32 00 35 00 49 46 4c 4f  57 31 00 32 00 45         2.5.IFLO
W1.2.E  

as you can see above:

the license number, serial, name, No. of flows, and the key (some
thing that they tell you to keep safe)


##Implications

Because the salt is known and because the max password length is 8
characters it would not  be beyond the realms of possibility to crack
the password (effectively a root password) once you have access
through the gui, you have the possibility of running a command from
the gui before and after the backup job. This command is run as root
and can be anything. Therefore you have full access to the box to do
with as you please.

A DoS situation could occur if you restored a file over another (any
file over /etc/shadow) however with full shell access to the server
why bother ?

## Solutions

turn on encryption - costs more money [1] and I am not sure that the
client (gui client) supports it ( certainly none of the ones I have
looked - Linux) so even  if you can  encrypt the data being sent to
the server ( the actual data being sent to tape) it doesn't look like
the gui client can support it.

[1]
http://support.arkeia.com/cgi-bin/arkeia/solution?11=000811-0000&130=0965990356&14=&2715=&15=&2716=&57=search&58=&2900=E1KciKRhYN&25=7&3=encryption

Use an SSH tunnel (www.ssh.com www.openssh.com)

Use Arkeia only over "trusted" networks


## Notifications 


Arkeia's  European office was contacted (by telephone) on 10/08/01 and
this mail was sent to an arkeia support employee (at his request). 

## interest

below is an extract from arkeia's license


5. DISCLAIMER OF WARRANTY. THE PRODUCT IS PROVIDED ON AN "AS IS"
BASIS, WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION THE
WARRANTIES THAT IT IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE
QUALITY AND PERFORMANCE OF THE PRODUCT IS BORNE BY YOU, AS
LICENSEE. SHOULD THE PRODUCT PROVE DEFECTIVE IN ANY RESPECT, LICENSEE
AND NOT LICENSOR OR ITS SUPPLIERS OR RESELLERS ASSUMES THE ENTIRE
COST OF ANY SERVICE AND REPAIR. IN ADDITION, THE SECURITY MECHANISMS
IMPLEMENTED BY THE PRODUCT HAVE INHERENT LIMITATIONS, AND YOU MUST
DETERMINE THAT THE PRODUCT SUFFICIENTLY MEETS YOUR REQUIREMENTS. THIS
DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS
AGREEMENT. NO USE OF THE PRODUCT IS AUTHORIZED HEREUNDER EXCEPT UNDER
THIS DISCLAIMER.


"THE SECURITY MECHANISMS IMPLEMENTED BY THE PRODUCT HAVE INHERENT
LIMITATIONS," - though what these are, is not listed on their site


## Refs

http://www.openwall.com/john/

http://www.arkeia.com/

http://www.ethereal.com/




-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
(6922830) / <quentyn@fotango.com>/--------(Ombruten)
6923239 2001-08-17 11:32 -0400  /28 rader/ Neil Curri <NCurri@gjusa.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-17  17:43  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18819>
Ärende: RE: Arkeia Possible remote root & information leakage
------------------------------------------------------------
From: Neil Curri <NCurri@gjusa.com>
To: bugtraq@securityfocus.com
Message-ID: <361D0AC11FC34E4C9AE9A723506570135EF863@FC-EXCH>

> Because the salt is known and because the max password length is 8
> characters it would not  be beyond the realms of possibility to crack
> the password (effectively a root password) 
> 
It is only an arkeia "root" password. It's not even a real user with a
shell. Make sure your system root password is different from your arkeia
root password.

> once you have access through
> the gui, you have the possibility of running a command from the gui
> before and after the backup job. This command is run as root and can be
> anything. 
> 
	I didn't realize this, but it makes sense. If you install the
RPM as the system root, arkeia processes will be run as root.

> Use an SSH tunnel (www.ssh.com www.openssh.com)
> 
This article on arkeia's support site explains how to set up an ssh tunnel
through a firewall for arkeia:
http://support.arkeia.com/cgi-bin/arkeia/solution?11=000322-0014&130=0953783
453&14=&2715=&15=&2716=&57=search&58=&2900=JP9cQm9m9p&25=7&3=ssh
(6923239) /Neil Curri <NCurri@gjusa.com>/-(Ombruten)
6923950 2001-08-17 13:13 -0400  /26 rader/ Joe Glass <joe@glass.cl.msu.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-17  20:18  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18824>
Kommentar till text 6922830 av  <quentyn@fotango.com>
Ärende: Re: Arkeia Possible remote root & information leakage
------------------------------------------------------------
From: Joe Glass <joe@glass.cl.msu.edu>
To: bugtraq@securityfocus.com
Message-ID: <3B7D50B8.6A6ED47F@glass.cl.msu.edu>

More importantly, you could run a command as root on any box that is
backed up by Arkeia.  (I'm sure you already know this, but it wasn't
completely clear in this e-mail).  I forwarded your e-mail to the
Arkeia userlist.  It seems as though the moderators at Knox don't let
these e-mails show up on their userlist though.  I forwarded the last
security issue that was talked about on bugtrack to the userlist
serveral times, but it never appeared.  Which doesn't make sense to
me.

> ##Implications
> the password (effectively a root password) once you have access through
> the gui, you have the possibility of running a command from the gui
> before and after the backup job. This command is run as root and can be
> anything. Therefore you have full access to the box to do with as you
> please.

-- 
Joe Glass
Technical Support Services, Michigan State University
phone:  517-355-4500 x240
e-mail: joe@glass.cl.msu.edu
(6923950) /Joe Glass <joe@glass.cl.msu.edu>/(Ombruten)
6935728 2001-08-19 18:28 +0100  /169 rader/  <quentyn@fotango.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-20  01:48  av Brevbäraren
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18839>
Ärende: Re: Arkeia Possible remote root & information leakage
------------------------------------------------------------
From: quentyn@fotango.com
Cc: bugtraq@securityfocus.com
Message-ID: <3B7FF739.D7EA1469@fotango.com>

Erik wrote:
> 
> Ok, I'm just wondering.. I read this Several times, and I don't see a
> BUG. I could write all day that people should use SSH instead of telnet,
> because it's all unencrypted, but that doesn't mean telnet has a bug. It's
> not suppose to be secure. Neither is Arkeia. You are talking about
> features.. Not bugs.

However we all know that telnet is unencrypted, arkeia does not make
the point on their page Indeed it is the amount and quality of
information that they send over the connection that I was worried
about.

> 
> The users password is whatever they set it to. If you install it, the
> instructions clearly tell you to set a password once its installed.
> Read the instructions when you install software, and your set.
> 
> Them being able to execute remote code as root is quite possible..

it is easy, go into the advanced options and tell it to run

<lame example>

echo "r00t::0:0:root:/root:/bin/bash" >> /etc/passwd

</lame example>

after or before the backup runs 


 In
> fact, thats a feature of the software. Albeit a weak one, in the fact that
> you can sniff the password and then send remote commands.. But the server
> shouldn't be running as root, just like their instructions says.

could you point me to this? 

the daemon has to run as root as how it it going to access the files
it needs to ?

ie home dir's? without creating either a secondary group (with the
perms) or world readable files?



> 
> The encryption option on Arkeia is for Encrypting your actual data on the
> DLT's, I do not believe it is also encrypted server/client communication,
> although you can tunnel over SSH.
> 
> > if this product was installed in a non secured environment there could
> > be a "race condition" to see who could set the password first
> 
> That's a funny way of putting it. Maybe "A race to set the password
> first". Anyway, backups usually run on a dedicated backup server, which
> should be configured offline anyway, right? Do you install Solaris 8 on an
> Ultra 10, ON the public network, and then patch it? I hope not.

see piranah (by redhat BID someting or other)

also would you install RH 6.2 on a public network ? no *you*  wouldn't
but many people do...

see the honeynet project results to see how long a RH 6.2 box will
survive unpatched

It is only by notifing people of these problems (here) do people
realise what they can and can not do

> 
> > License Information - full set of license information is sent in the
> > clear ( including version, serial, organization, Key, expiry and type of
> > drive the product is license for) .
> 
> Are you going to release an advisory for Ncftpd if people have their
> general.cf readable so users can get their Registration code? Anyway, I've
> never installed an Arkeia license on a client machine, so I'm not sure why
> it would be being sent. I'm not saying it's not being sent,

it is sent to the gui-client (not the backup agent - haven't checked) 

it is sent many times with out reason


 I haven't
> checked.. I don't think there is any reason for it. The server knows how
> many clients to let connect and how many you can configure into it, and of
> what system types (licensing is platform based), and what tape drive is
> attached.

> 
> That is pretty weak, and they could have done it a lot better. But again,
> it's not a bug, it's just weak encryption..

so  why don't they mention on their page that that use such poor
encryption?
I would want to know if this was the case

why use a constant salt?


> 
> > so allthough you may be using passwords >8 for your root passwords
> > arkeia (which is a root level service) only uses 8.
> 
> Solaris = Default 8 character max
> 
> Sucks, but it's not uncommon.

but they don't mention it... (their support engineer didn't realise
this)

> 
> > the license number, serial, name, No. of flows, and the key (some thing
> > that they tell you to keep safe)
> 
> No place safer than every network interface on your network! :P

I would prefer it this information wasn't sent every time



> 
> Encryption is only for the data being written to the tapes. So upgrading
> would be a waste if that is why you seek. (2x check with Arkeia)

I believe that this could be the case, so there is no way of stopping
the license et al being sent

> 
> I know this seems a little harsh, but I'm seeing all the times things
> being called bugs lately, that aren't really bugs.. They are design. A
> poor design perhaps, but not a bug. Some programmer decided that a weak
> password was OK. And the instructions say not to run it as root, so that
> solves that portion.

where does it say not to run as root? I have looked in the README and
in the NT client stuff they tell you to run it as ADMINISTRATOR....

I think that there could be confilcting documantation some where....


> 
> And it would also suck to have to tunnel over SSH. You couldn't make just
> the control information tunnel and the normal data go regular. I wouldn't
> like to try and tunnel 90Mb/min through ssh with multiple flows. SSH has a
> hard enough time on a Ghz processor tunneling ftp over a LAN and still
> pulling good speeds. SSH just wan't meant to do that kind of stuff.

I meant send the gui-client over SSH use the arkeia encryption method
for the actual data


-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
DMR: So fsck was originally called something else. Q: What was it
called? DMR: Well, the second
letter was different. 
   Dennis M. Ritchie, Usenix, June 18, 1998.
(6935728) / <quentyn@fotango.com>/--------(Ombruten)