Re: Arkeia Possible remote root & information leakage

[quentyn () fotango com]

Erik wrote:
> Ok, I'm just wondering.. I read this Several times, and I don't see a
> BUG. I could write all day that people should use SSH instead of telnet,
> because it's all unencrypted, but that doesn't mean telnet has a bug. It's
> not suppose to be secure. Neither is Arkeia. You are talking about
> features.. Not bugs.

However we all know that telnet is unencrypted, arkeia does not make the
point on their page
Indeed it is the amount and quality of information that they send over
the connection that I was worried about.

> The users password is whatever they set it to. If you install it, the
> instructions clearly tell you to set a password once its installed.
> Read the instructions when you install software, and your set.
>
> Them being able to execute remote code as root is quite possible..

it is easy, go into the advanced options and tell it to run

<lame example>

echo "r00t::0:0:root:/root:/bin/bash" >> /etc/passwd

</lame example>

after or before the backup runs 


 In
> fact, thats a feature of the software. Albeit a weak one, in the fact that
> you can sniff the password and then send remote commands.. But the server
> shouldn't be running as root, just like their instructions says.

could you point me to this? 

the daemon has to run as root as how it it going to access the files it
needs to ?

ie home dir's? without creating either a secondary group (with the
perms) or world readable files?



> The encryption option on Arkeia is for Encrypting your actual data on the
> DLT's, I do not believe it is also encrypted server/client communication,
> although you can tunnel over SSH.
>
> > if this product was installed in a non secured environment there could
> > be a "race condition" to see who could set the password first
>
> That's a funny way of putting it. Maybe "A race to set the password
> first". Anyway, backups usually run on a dedicated backup server, which
> should be configured offline anyway, right? Do you install Solaris 8 on an
> Ultra 10, ON the public network, and then patch it? I hope not.

see piranah (by redhat BID someting or other)

also would you install RH 6.2 on a public network ? no *you*  wouldn't
but many people do...

see the honeynet project results to see how long a RH 6.2 box will
survive unpatched

It is only by notifing people of these problems (here) do people realise
what they can and can not do

> > License Information - full set of license information is sent in the
> > clear ( including version, serial, organization, Key, expiry and type of
> > drive the product is license for) .
>
> Are you going to release an advisory for Ncftpd if people have their
> general.cf readable so users can get their Registration code? Anyway, I've
> never installed an Arkeia license on a client machine, so I'm not sure why
> it would be being sent. I'm not saying it's not being sent,

it is sent to the gui-client (not the backup agent - haven't checked) 

it is sent many times with out reason


 I haven't
> checked.. I don't think there is any reason for it. The server knows how
> many clients to let connect and how many you can configure into it, and of
> what system types (licensing is platform based), and what tape drive is
> attached.

> That is pretty weak, and they could have done it a lot better. But again,
> it's not a bug, it's just weak encryption..

so  why don't they mention on their page that that use such poor
encryption?
I would want to know if this was the case

why use a constant salt?


> > so allthough you may be using passwords >8 for your root passwords
> > arkeia (which is a root level service) only uses 8.
>
> Solaris = Default 8 character max
>
> Sucks, but it's not uncommon.

but they don't mention it... (their support engineer didn't realise
this)

> > the license number, serial, name, No. of flows, and the key (some thing
> > that they tell you to keep safe)
>
> No place safer than every network interface on your network! :P

I would prefer it this information wasn't sent every time



> Encryption is only for the data being written to the tapes. So upgrading
> would be a waste if that is why you seek. (2x check with Arkeia)

I believe that this could be the case, so there is no way of stopping
the license et al being sent

> I know this seems a little harsh, but I'm seeing all the times things
> being called bugs lately, that aren't really bugs.. They are design. A
> poor design perhaps, but not a bug. Some programmer decided that a weak
> password was OK. And the instructions say not to run it as root, so that
> solves that portion.

where does it say not to run as root? I have looked in the README and in
the NT client stuff they tell you to run it as ADMINISTRATOR....

I think that there could be confilcting documantation some where....


> And it would also suck to have to tunnel over SSH. You couldn't make just
> the control information tunnel and the normal data go regular. I wouldn't
> like to try and tunnel 90Mb/min through ssh with multiple flows. SSH has a
> hard enough time on a Ghz processor tunneling ftp over a LAN and still
> pulling good speeds. SSH just wan't meant to do that kind of stuff.

I meant send the gui-client over SSH use the arkeia encryption method
for the actual data


-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
DMR: So fsck was originally called something else. Q: What was it
called? DMR: Well, the second
letter was different. 
   Dennis M. Ritchie, Usenix, June 18, 1998.