cbcvebase.
CVE-2005-0491
published 2005-05-02

CVE-2005-0491: Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.90%
99.1th percentile
Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.

Affected

9 ranges
VendorProductVersion rangeFixed in
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup
knox_softwarearkeia_server_backup

Detection & IOCsextracted from sources · hover to see the quote

port617
port5074
processarkeiad.exe
bytes
\x00\x4d\x00\x03\x00\x01\xff\xff
bytes
\x00\x4d\x00\x03\x00\x01\xff\xff
  • The exploit sends a type 77 request (0x4d) to TCP port 617 (arkeiad). Detect by inspecting the 8-byte packet header: first two bytes 0x00 0x4d (type 77), followed by 0x00 0x03 0x00 0x01, with an oversized length field (e.g. 0xff 0xff or large value) indicating an overflow attempt.
  • The exploit uses a two-stage attack: first sends a large NOP sled + shellcode packet (up to 20000 bytes) to port 617 to prime the heap, then sends the overflow packet. Anomalously large payloads to TCP/617 should be flagged.
  • After successful Linux exploitation, the attacker connects back to the victim on TCP port 5074 (portbind shellcode). Monitor for unexpected inbound connections on port 5074.
  • After successful Windows exploitation, the attacker connects to the victim on TCP port 80 for a reverse/bind shell. Monitor arkeiad.exe for unexpected outbound or inbound connections on port 80.
  • The vulnerable process is arkeiad.exe on Windows. Monitor this process for spawning cmd.exe or other child processes, which would indicate successful exploitation.
  • The Metasploit check function fingerprints vulnerable Arkeia versions via an info request before exploitation. Detect reconnaissance by monitoring for Arkeia info-gathering requests to TCP/617 from external hosts.
  • ·The overflow packet data length field is set to 0xffff in the header for the Mac OS X Metasploit module, but the actual data sent is 1200 bytes. The length field in the header may vary across exploit implementations; detection should focus on the type byte (0x4d) and oversized data rather than a fixed length value.
  • ·The vulnerability affects all Arkeia versions up to and including 5.3.3 across Linux, Mac OS X, and Windows platforms. Version checks in the Metasploit modules match versions 4.x and 5.0–5.3.3.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.