CVE-2015-7709
published 2015-10-05CVE-2015-7709: The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute…
PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.97%
99.5th percentile
The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arkeia | western_digital_arkeia | <= 11.0.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x41 + \x00*5 + \x73 + \x00*12 + \xc0\xa8\x02\x74 + \x00*56 + \x74\x02\xa8\xc0 + ARKADMIN\x00root\x00root\x00*3 + 4.3.0-1 + \x00*11
bytes↗
\x00\x41\x00\x00\x00\x00\x00\x70 + \x00*12 + \xc0\xa8\x02\x8a + \x00*56 + \x8a\x02\xa8\xc0 + ARKFS\x00root\x00root\x00*3 + 4.3.0-1 + \x00*11
bytes↗
\x00\x62\x00\x01\x00\x02\x00\x1b + ARKFS_EXEC_CMD + \x00\x31 + \x00*11
- →Monitor TCP port 617 for connections to the arkeiad daemon; any unauthenticated connection followed by an ARKFS_EXEC_CMD operation is indicative of exploitation. ↗
- →Detect the exploit handshake by looking for the byte sequence 'ARKFS_EXEC_CMD' in TCP port 617 traffic, preceded by the magic bytes \x00\x62\x00\x01\x00\x02\x00\x1b. ↗
- →On Windows targets, look for a randomly named executable dropped to c:\ (8–16 random alpha chars + .exe) launched via Shell.Application ShellExecute, preceded by a PowerShell DownloadFile invocation — a pattern used by the exploit's Windows payload delivery. ↗
- →Check for the client identifier strings 'ARKADMIN' or 'ARKFS' with username 'root' and client version string '4.3.0-1' in TCP/617 session initiation packets as a fingerprint of exploit tool usage. ↗
- →The exploit targets both the Arkeia server and all backup clients; scan the entire environment for processes named 'arkeiad' listening on TCP/617, not just the backup server. ↗
- ·The exploit is cross-platform and achieves root/SYSTEM on Windows, Linux, OSX, FreeBSD, and OpenBSD; detection and response must account for all these platforms. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)
exploitdb·2015-07-13
CVE-2015-7709 Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)
Western Digital Arkeia 'Western Digital Arkeia Remote Code Execution',
'Description' => %q{
This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.
The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are
insufficient checks on the authentication of all clients, this can be bypassed.
Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or
SYSTEM privileges.
The daemon is installed on both the Arkeia server as well on all the backup clients. The module
has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
},
'Author' =>
[
'xistence ' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
],
'Privileged' => true,
'Stance'
Metasploit
Western Digital Arkeia Remote Code Execution
metasploit
Western Digital Arkeia Remote Code Execution
Western Digital Arkeia Remote Code Execution
This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
No writeups or analysis indexed.
http://www.rapid7.com/db/modules/exploit/multi/misc/arkeia_agent_exechttps://packetstormsecurity.com/files/132660/Western-Digital-Arkeia-11.0.13-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/37600/http://www.rapid7.com/db/modules/exploit/multi/misc/arkeia_agent_exechttps://packetstormsecurity.com/files/132660/Western-Digital-Arkeia-11.0.13-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/37600/
2015-10-05
Published