PDA

Bekijk Volledige Versie : Arkeia Network Backup Client Remote Access



H D Moore
21/02/05, 20:05
Anyone able to connect to TCP port 617 can gain read/write access to the
filesystem of any host running the Arkeia agent software. This appears to
be an intentional design decision on the part of the Arkeia developers. A
long-winded description of this issue, complete with screen shots,
demonstration code, and packet captures can found online at:

- http://metasploit.com/research/arkeia_agent/

-HD

Vincent Archer
22/02/05, 20:45
On Sun, Feb 20, 2005 at 02:41:36PM -0600, H D Moore wrote:
> Anyone able to connect to TCP port 617 can gain read/write access to the
> filesystem of any host running the Arkeia agent software. This appears to
> be an intentional design decision on the part of the Arkeia developers. A
> long-winded description of this issue, complete with screen shots,
> demonstration code, and packet captures can found online at:
>
> - http://metasploit.com/research/arkeia_agent/

Note that, on the arkeia user list, somebody pointed out that clients
can be configured to disallow this from anybody but the server. But that's
not the default configuration, the default is "plug and play", that is, you
throw the software on the client and it works.

The relevant section is Appendix B of the user manual. It tells you how
to setup your client with the equivalent of tcp_wrapper security.

Even then, you still have a small vulnerability, in that anyone who
has access to the server system can still impersonate the arkeia software
to access the client. But you can't do that from any random machine.

--
Vincent ARCHER
varcher@denyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

H D Moore
22/02/05, 21:25
Just to clarify, the user manual *does* mention client security and gives
instructions for locking down the Arkeia agent. Unfortunately this is not
enabled by default and only restricts access on a per-host basis.

Appendix B: System Security (not sure how I missed this before)
ftp://ftp.arkeia.com/pub/manual/arkeia5/anb/Arkeia_User_Manual.pdf

-HD

On Sunday 20 February 2005 14:41, H D Moore wrote:
> Anyone able to connect to TCP port 617 can gain read/write access to
> the filesystem of any host running the Arkeia agent software.

Arnaud Spicht
23/02/05, 19:05
In-Reply-To: <20050222091943.GM76018@DAPCVA.da>

>On Sun, Feb 20, 2005 at 02:41:36PM -0600, H D Moore wrote:
>> Anyone able to connect to TCP port 617 can gain read/write access to the
>> filesystem of any host running the Arkeia agent software. This appears to
>> be an intentional design decision on the part of the Arkeia developers. A
>> long-winded description of this issue, complete with screen shots,
>> demonstration code, and packet captures can found online at:
>>
>> - http://metasploit.com/research/arkeia_agent/
>
>Note that, on the arkeia user list, somebody pointed out that clients
>can be configured to disallow this from anybody but the server. But that's
>not the default configuration, the default is "plug and play", that is, you
>throw the software on the client and it works.
>
>The relevant section is Appendix B of the user manual. It tells you how
>to setup your client with the equivalent of tcp_wrapper security.
>
>Even then, you still have a small vulnerability, in that anyone who
>has access to the server system can still impersonate the arkeia software
>to access the client. But you can't do that from any random machine.
>

From Appendix B of Arkeia User Manual:
There is a way to tighten client access by requiring a connection on a reserved port and using root account. The format of the auth_PROCESS.cfg file to limit access is:
<PROCESS_NAME>.* ALLOW <backup server FQDN>[1] root

For example:
ARKADMIN.* ALLOW mercury.arkeia.com[1] root

--
Arnaud Spicht
CTO - Arkeia Corp.