Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Published: 1999-09-23
Updated: 2016-10-18
Summary
Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia backup product allows local users to obtain root access via a long HOME environmental variable.
Vulnerable Configurations
Exploit-Db
| description | Knox Software Arkeia 4.0 Backup rnavc & nlserverd HOME Environment Variable Buffer Overflow. CVE-1999-1534. Local exploit for linux platform |
| id | EDB-ID:19511 |
| last seen | 2016-02-02 |
| modified | 1999-09-26 |
| published | 1999-09-26 |
| reporter | Brock Tellier |
| source | https://www.exploit-db.com/download/19511/ |
| title | Knox Software Arkeia 4.0 Backup Local Overflow |
Nessus
| NASL family | Misc. |
| NASL id | ARKEIA.NASL |
| description | It was possible to overflow a buffer in the Knox |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 10018 |
| published | 1999-09-28 |
| reporter | This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/10018 |
| title | Knox Arkeia Backup Service Buffer Overflow |
| code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(10018);
script_version("1.31");
script_cvs_date("Date: 2018/06/27 18:42:26");
script_cve_id("CVE-1999-1534");
script_bugtraq_id(661);
script_name(english:"Knox Arkeia Backup Service Buffer Overflow");
script_summary(english:"Arkeia Buffer Overflow");
script_set_attribute(attribute:"synopsis", value:
"The remote host is running a backup service which is affected by a
local buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"It was possible to overflow a buffer in the Knox's Arkeia server.
This problem allows an attacker to perform a denial of service attack
and to gain root using the remote service if the attacker is local.");
script_set_attribute(attribute:"solution", value:"There is no known solution at this time.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"1999/09/23");
script_set_attribute(attribute:"plugin_publication_date", value:"1999/09/28");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_MIXED_ATTACK); # mixed
script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
script_family(english:"Misc.");
script_dependencie("arkeia_default_account.nasl");
script_require_keys("Settings/ParanoidReport");
script_require_ports(617);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = 617;
version = get_kb_item("arkeia-client/617");
if ( ! version ) exit(0);
if ( !ereg(pattern:"^[0-4]\.", string:version) ) exit(0);
if(safe_checks())
{
security_hole(port);
exit(0);
}
if(get_port_state(port))
{
data = crap(10000);
soc = open_sock_tcp(port);
if(soc > 0)
{
send(socket:soc, data:data);
close(soc);
sleep(2);
soc2 = open_sock_tcp(port);
if(!soc2)security_hole(port);
else close(soc2);
}
}
|