[38170] in bugtraq
Arkeia Possible remote root & information leakage
daemon@ATHENA.MIT.EDU (Maciej Bogucki)
Wed Jan 12 11:55:26 2005
Message-ID: <41E5465E.4030909@artegence.com>
Date: Wed, 12 Jan 2005 16:46:38 +0100
From: Maciej Bogucki <maciej.bogucki@artegence.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
During the testing of arkeia a few security holes has been discovered.
Vulnerable System: Arkeia 4.2.x, 5.2.x and 5.3.x
Details:
1. Writable directory
$ ls -ld /opt/arkeia/server/dbase/
drwxrwxrwx 10 root root 4096 gru 27 13:40 /opt/arkeia/server/dbase/
2. Default the "root" account password is set to null
$ cat /opt/arkeia/server/dbase/f3sec/usr.lst
ITEM {
"NODE" "*"
"PASSWORD" ""
"ROLE" "ADMINISTRATOR"
"NAME" "root"
}
3. Password file readable by any user
$ ls -l /opt/arkeia/server/dbase/f3sec/usr.lst
-rw-r--r-- 1 root root 117 gru 27 13:59
/opt/arkeia/server/dbase/f3sec/usr.lst
4. password is hashed with the crypt function with a constant salt
( the characters "n3" ) - 8 character passwords maximum
See: http://seclists.org/lists/bugtraq/2001/Aug/0237.html
5. arkeiad is starting default on all computers
$ netstat -nlp | grep 617
tcp 0 0 0.0.0.0:617 0.0.0.0:* LISTEN 5570/arkeiad
arkeiad isn't needed on client-gui
Conclusion: Nothing has changed since version 4.2. See References.
Vendor informed: April, 2004
Thanks: Quentyn Taylor
References:
http://www.securityfocus.com/archive/1/205378
http://www.arkeia.com/
