Re: Knox Arkeia remote root/system exploit
From: H D Moore (sflist_at_digitaloffense.net)
Date: 02/20/05
- Previous message: H D Moore: "Arkeia Network Backup Client Remote Access"
- In reply to: John Doe: "Knox Arkeia remote root/system exploit"
- Next in thread: Arnaud Spicht: "Re: Knox Arkeia remote root/system exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Sun, 20 Feb 2005 07:07:51 -0600
The metasploit project has released two exploits for this flaw:
http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_win32
http://metasploit.com/projects/Framework/exploits.html#arkeia_type77_macos
The win32 exploit has targets for every version of Arkeia between 4.2 and
5.3.3. The macos exploit should work across a large range of versions
with no modifications. Both of these exploits have the capability to
dump the remote system information and Arkeia version[1].
This bug looks difficult or even impossible to exploit on the Solaris
64bit platform; the main() function calls exit()[2] before the final
return to the overwritten stack pointer. It may be possible to use one of
the local variable overwrites to an advantage, but at first glance it
seems unlikely.
-HD
1. There are worse problems here than stack overflows...
2. It actually calls doexit() which in turn calls exit()
On Friday 18 February 2005 10:29, John Doe wrote:
> /*
> * Knox Arkeia Server Backup
> * arkeiad local/remote root exploit
> * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE
> * Works up to current version 5.3.x
> [ snip ]
> */
- Previous message: H D Moore: "Arkeia Network Backup Client Remote Access"
- In reply to: John Doe: "Knox Arkeia remote root/system exploit"
- Next in thread: Arnaud Spicht: "Re: Knox Arkeia remote root/system exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
