CVE-2005-0491
published 2005-05-02CVE-2005-0491: Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.90%
99.1th percentile
Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
| knox_software | arkeia_server_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x4d\x00\x03\x00\x01\xff\xff
bytes↗
\x00\x4d\x00\x03\x00\x01\xff\xff
- →The exploit sends a type 77 request (0x4d) to TCP port 617 (arkeiad). Detect by inspecting the 8-byte packet header: first two bytes 0x00 0x4d (type 77), followed by 0x00 0x03 0x00 0x01, with an oversized length field (e.g. 0xff 0xff or large value) indicating an overflow attempt. ↗
- →The exploit uses a two-stage attack: first sends a large NOP sled + shellcode packet (up to 20000 bytes) to port 617 to prime the heap, then sends the overflow packet. Anomalously large payloads to TCP/617 should be flagged. ↗
- →After successful Linux exploitation, the attacker connects back to the victim on TCP port 5074 (portbind shellcode). Monitor for unexpected inbound connections on port 5074. ↗
- →After successful Windows exploitation, the attacker connects to the victim on TCP port 80 for a reverse/bind shell. Monitor arkeiad.exe for unexpected outbound or inbound connections on port 80. ↗
- →The vulnerable process is arkeiad.exe on Windows. Monitor this process for spawning cmd.exe or other child processes, which would indicate successful exploitation. ↗
- →The Metasploit check function fingerprints vulnerable Arkeia versions via an info request before exploitation. Detect reconnaissance by monitoring for Arkeia info-gathering requests to TCP/617 from external hosts. ↗
- ·The overflow packet data length field is set to 0xffff in the header for the Mac OS X Metasploit module, but the actual data sent is 1200 bytes. The length field in the header may vary across exploit implementations; detection should focus on the type byte (0x4d) and oversized data rather than a fixed length value. ↗
- ·The vulnerability affects all Arkeia versions up to and including 5.3.3 across Linux, Mac OS X, and Windows platforms. Version checks in the Metasploit modules match versions 4.x and 5.0–5.3.3. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0491 Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit)
Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit)
---
##
# $Id: type77.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Arkeia Backup Client Type 77 Overflow (Win32)',
'Description' => %q{
This module exploits a stack buffer overflow in the Arkeia backup
client for the Windows platform. This vulnerability affects
all versions up to and including 5.3.3.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2005-0491' ]
Exploit-DB
Knox Arkeia Backup Client Type 77 (OSX) - Remote Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0491 Knox Arkeia Backup Client Type 77 (OSX) - Remote Overflow (Metasploit)
Knox Arkeia Backup Client Type 77 (OSX) - Remote Overflow (Metasploit)
---
##
# $Id: type77.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Description' => %q{
This module exploits a stack buffer overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revisi
Exploit-DB
Knox Arkeia Backup Client 5.3.3 Type 77 (OSX) - Overflow (Metasploit)
exploitdb·2005-02-18
CVE-2005-0491 Knox Arkeia Backup Client 5.3.3 Type 77 (OSX) - Overflow (Metasploit)
Knox Arkeia Backup Client 5.3.3 Type 77 (OSX) - Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-0491'],
[
Exploit-DB
Knox Arkeia Server Backup 5.3.x - Remote Code Execution
exploitdb·2005-02-18
CVE-2005-0491 Knox Arkeia Server Backup 5.3.x - Remote Code Execution
Knox Arkeia Server Backup 5.3.x - Remote Code Execution
---
/*
* Knox Arkiea Server Backup
* arkiead local/remote root exploit
* Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE
* Works up to current version 5.3.x
*
* ---------------
*
* Linux x86:
* ./arksink2
*
* Exports an xterm to the box of your choosing. Make sure to "xhost +" on
* the box you're exporting to.
*
* A stack overflow is in the processing of a type 77 request. EIP is actually
* overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we
* have to write past EIP and insert a "safe" value. Put this value behind your
* NOP+sc return address so it doesn't mess with the sled.
*
* Since the buffer is so small, we initially send an invalid packet that ends
* up on the heap a second before the
Exploit-DB
Knox Arkeia Pro 5.1.12 - Backup Remote Code Execution
exploitdb·2003-09-20
CVE-2005-0491 Knox Arkeia Pro 5.1.12 - Backup Remote Code Execution
Knox Arkeia Pro 5.1.12 - Backup Remote Code Execution
---
/*
* Knox Arkiea arkiead local/remote root exploit.
*
* Portbind 5074 shellcode
*
* Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.
*
* NULLs out least significant byte of EBP to pull EIP out of overflow buffer.
* A previous request forces a large allocation of NOP's + shellcode in heap
* memory. Find additional targets by searching the heap for NOP's after a
* crash. safeaddr must point to any area of memory that is read/writable
* and won't mess with program/shellcode flow.
*
* ./ark_sink host targetnum
* [user@host dir]$ ./ark_sink 192.168.1.2 1
* [*] Connected to 192.168.1.2:617
* [*] Connected to 192.168.1.2:617
* [*] Sending nops+shellcode
* [*] Done, sleeping
* [*] Sending overflow
* [*] Done
* [
Metasploit
Arkeia Backup Client Type 77 Overflow (Mac OS X)
metasploit
Arkeia Backup Client Type 77 Overflow (Mac OS X)
Arkeia Backup Client Type 77 Overflow (Mac OS X)
This module exploits a stack buffer overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.
Metasploit
Arkeia Backup Client Type 77 Overflow (Win32)
metasploit
Arkeia Backup Client Type 77 Overflow (Win32)
Arkeia Backup Client Type 77 Overflow (Win32)
This module exploits a stack buffer overflow in the Arkeia backup client for the Windows platform. This vulnerability affects all versions up to and including 5.3.3.
http://marc.info/?l=bugtraq&m=110887325425794&w=2http://secunia.com/advisories/14327http://www.securityfocus.com/bid/12594https://exchange.xforce.ibmcloud.com/vulnerabilities/19398http://marc.info/?l=bugtraq&m=110887325425794&w=2http://secunia.com/advisories/14327http://www.securityfocus.com/bid/12594https://exchange.xforce.ibmcloud.com/vulnerabilities/19398
2005-05-02
Published