Seagate NAS Remote Code Execution Vulnerability

Seagate NAS Remote Code Execution Vulnerability

OJ Reeves, a foreign security researcher, discovered a remote code execution vulnerability in Seagate NAS and reported it to the official website on July 15, October 7. However, the vulnerability was not fixed in the past 130 days, so today, he released the vulnerability details.

Overview

Seagate Technology Cor is currently the world's largest manufacturer of hard drives, disks, and read/write heads. The NAS that focuses on Business Objects is called Business Storage 2-Bay NAS. In many cases, it is exposed on the Internet.

This remote code execution vulnerability occurs on the firmware of version 2014.00319. Attackers can remotely execute commands without authentication to obtain the root permission of the device.

Vulnerability details

Seagate NAS has a web-based management interface. When an Administrator logs on, he can perform operations such as adding users, setting access control, and managing files.

The main Web configuration is as follows:

PHP 5.2.13

CodeIgniter 2.1.0

Lighttpd 1.4.28

These are all very old versions. We know that in PHP 5.2, files can be included through null truncation. In versions earlier than CodeIgniter 2.2.0, we can extract keys and decrypt cookies (CVE-2014-8686) for object injection. At the same time, each CI framework should use different encryption keys, but in Seagate's NAS products, all encryption keys are the same.

The CI framework stores sessions on the client and has the following parameters:

Username: This is a string value that represents the name of the user in the current session

Is_admin: This is a string value, which can be yes or no to determine whether the current user is an administrator.

Language: This is used to set the current language of the user.

Once a session is confirmed and the cookie contains the username parameter, the system does not further verify the user creden. This means that once the user can operate on this value, the logon mechanism can be completely bypassed.

The is_admin parameter allows users to escalate permissions to administrators.

The Language contains the corresponding php Language file. The local file inclusion vulnerability exists here.

Exploit vulnerabilities

It is not difficult to exploit this vulnerability to remotely execute code with root permissions. The key steps are as follows:

1. Attackers must write php code to the NAS file system. You can perform the following steps:

Use User-Agent to poison HTTP access log files

Use Host to poison the HTTP error log File

Modify the device description on the Web interface and write the user-controlled string to the/etc/devicedesc file.

Upload a file and share it on the Internet

2. Then, modify the language parameter in the cookie to include the file and use 00 to cut the file.

3. Attackers can use this malicious cookie to access the device and execute commands.

Exploit

Metasploit Module

Python script

Metasploit Exploitation

Affected firmware versions

2014.00319

2013.60311