<<< Date Index >>>     <<< Thread Index >>>

Arkeia Possible remote root & information leakage



During the testing of arkeia a few security holes has been discovered.

Vulnerable System: Arkeia 4.2.x, 5.2.x and 5.3.x

Details:

1. Writable directory

$ ls -ld /opt/arkeia/server/dbase/
drwxrwxrwx  10 root root 4096 gru 27 13:40 /opt/arkeia/server/dbase/

2. Default the "root" account password is set to null

$ cat  /opt/arkeia/server/dbase/f3sec/usr.lst
ITEM    {
        "NODE"  "*"
        "PASSWORD"      ""
        "ROLE"  "ADMINISTRATOR"
        "NAME"  "root"
}

3. Password file readable by any user

$ ls -l  /opt/arkeia/server/dbase/f3sec/usr.lst
-rw-r--r--  1 root root 117 gru 27 13:59
/opt/arkeia/server/dbase/f3sec/usr.lst

4. password is hashed with the crypt function with a constant salt
   ( the characters "n3" ) - 8 character passwords maximum
   See: http://seclists.org/lists/bugtraq/2001/Aug/0237.html

5. arkeiad is starting default on all computers

$ netstat -nlp | grep 617
tcp        0      0 0.0.0.0:617             0.0.0.0:* LISTEN 5570/arkeiad

arkeiad isn't needed on client-gui


Conclusion: Nothing has changed since version 4.2. See References.
Vendor informed: April, 2004
Thanks: Quentyn Taylor
References:
http://www.securityfocus.com/archive/1/205378
http://www.arkeia.com/