Orico nas Network Storage Server Remote Arbitrary Command Execution and other vulnerabilities

Orico nas Network Storage Server Remote Arbitrary Command Execution and other vulnerabilities

ORICO Technologies Co ., ltd. (Shenzhen yuanchuang times Technology Co., Ltd.) is a world-leading manufacturer of computer/Digital peripheral products. Its ORICO brand is based on the original design concept of "easy you pc, this makes it easy for you to enjoy the digital age of technology and add more fun to your laptop, PC desktop, tablet, smartphone, and other terminal devices! You can enjoy the various computer and digital accessory products that ORICO brings to you! ORICO is committed to providing innovative and easy-to-use user experiences for users of computer, digital, and smart terminal products. ORICO owns complete product R & D, mold manufacturing, injection molding, metal stamping, production assembly, marketing service, and professional product R & D and production industry chain, we can provide innovative products that meet user needs in real time, effectively and quickly. ORICO has the most comprehensive computer/Digital peripheral peripherals and accessories, including storage, network, WIFI, Bluetooth, USB peripherals, computers, smart phones, and other products, we also provide OEM/ODM services for industry-renowned enterprises.
Orico nas network storage server has the remote arbitrary command execution vulnerability.

This vulnerability can be used to kill all NAS devices of ORICO, including 3529NAS, 3529U3RF, 3549NAS, 3549U3RF, 3559NAS, 3559U3RF, NTG-LU, 7618NAS, 7618U3RF, etc, the latest firmware version is available on the official website)

The vulnerability is caused by the absence of necessary identity authentication for a code, which allows any visitor to remotely execute arbitrary commands using its design error.

The vast majority of php pages on the WEB management interface of orico nas perform the necessary authentication on the header. The Code is as follows:
 

     /* Check Login */    include_once('php/html/check.login.php');

Check. login. php code:
 

  if (empty($_COOKIE['PHPSESSID'])){     session_set_cookie_params(14400);     session_start();}else{     session_start();     setcookie("PHPSESSID", session_id(), time() + 14400);}if(session_is_registered('login') && $_SESSION['login'] != '') {    } else {    header("location:/webman/login.php");exit();}?>

When a visitor without legal identity authentication accesses a protected page, because the login variable in the session does not have a value, the visitor will be redirected directly to the login. php page and cannot continue to access sensitive content.

However, this check item is missing in the/webman/php/html/login. base. php file, which causes the bastion host to be cracked. The login. base. php code is as follows:
 

 $action = $_GET['action'];if ($action == 'login') {    $username = $_GET['username'];    $password = $_GET['password'];    $clienttime = $_GET['clienttime'];    $execcmd = '/etc/rc.d/CheckUser.sh -u ' . $username . ' -p ' . $password;    $result = exec($execcmd);    if($result == 'pass') {    $execcmd = '/bin/date -u -s '.$clienttime;        exec($execcmd);        session_start();        setcookie("PHPSESSID", session_id(), time() + 30);        $_SESSION['login'] = $username;        ……        echo 'success';    } else {        echo 'failure';    }}?>

It can be seen from the code that there is no identity check procedure on the page. The username, password, and clienttime variables entered by the user are not filtered as necessary. As a result, any visitor can inject commands using the preceding three variables, bring the following exec function to cause remote command execution.

The execution of Common commands has been discussed in many cases. I will not explain it too much here, so it is not a problem to perform file upload/download or Intranet scanning, here we only perform an interesting test. In the above Code, we noticed such a comparison statement:
 

$result = exec($execcmd);    if($result == 'pass') {

Obviously, the original intention of this Code is that after the content in the $ execcmd variable is executed by the system, if the returned result is "pass", it indicates that the identity authentication is passed, and the subsequent code can be executed, however, because of the special features of Command Injection and exec functions, we can easily obtain legal identities without a password. We know that, the Return Value of the exec function is the last line after system execution. Therefore, you only need to set the output line content to "pass" in the injection command to obtain a session recognized by the system, for details, refer to the test code section below. If username is admin, the obtained seesion has the Administrator permission and the system recognizes the Administrator session, we can access/webman/index normally. on the php page, you can perform any NAS operation. If you want to view the file, you can view the file. If you want to modify the configuration, you can change the configuration. If you want to shut down the instance, you can upgrade the firmware to a fixed level.



Code auditing on all pages in the document path found that there are multiple Command Injection Vulnerabilities. However, these pages are not vulnerable due to identity checks, you must have a valid Administrator identity. For example,/webman/php/html/03. base. php:
 

 include_once ('check.login.php');if( $_SESSION['login'] != 'admin'){   header("location:/webman/login.php");   exit();}$action = $_GET['action'];if($action == 'saveUser'){    $userRowData = $_GET['rowData'];    if($userRowData[1] != null && $userRowData[1] != ''){        $execcmd = '/etc/rc.d/SetUserAccount.sh -u ' . $userRowData[0] . ' -p ' . $userRowData[1];        $result = exec($execcmd);    }

There are many other places to call the exec function in this way. The user input is spliced into the $ execcmd variable without any check and filtering, and will not be listed here.



Although normal users cannot execute commands, there is a Arbitrary File Download Vulnerability in/webman/php/html/downloadFile. php does not filter input file paths. You can use .. /To obtain any sensitive files. The page code is as follows:
 

 include_once ('check.login.php');$filename=stripslashes($_GET["fileName"]);   $file=$_GET["src"]; $absolutepath="/mnt/sda1/home/" . $_SESSION['login'];if(strncmp($file,$absolutepath,strlen($absolutepath))!= 0){  header("location:/webman/login.php");  exit();}$newString = str_replace("*","/",$file);$createPath = $newString;$createPath = stripslashes($newString);header("Content-type: application/octet-stream");$sendfile_file  =   str_replace( ',' , '%2c' , rawurlencode($createPath)); header('Content-Disposition: attachment; filename="'.$filename.'"');header("X-Sendfile2: $sendfile_file 0-");?>

The above path detection is very simple. Only judge strncmp ($ file, $ absolutepath, strlen ($ absolutepath ))! = 0. You only need to set the first part of $ _ GET ["src"] to [/mnt/sda1/home/username/] to conform to the conditions, and you can add any ... This should be a common bypass method, which is not explained in detail here.

Proof of vulnerability:

Enter the URL in the following test code in the address bar of the browser. If success is displayed on the obtained page, the attack is successful. You can enter http: // hostname/webman/index. php in the address bar for management.

Example: (they are all searched online and cannot survive at all times)

223.18.195.185

220.246.142.155

189.113.89.18

123.203.173.34

78.97.68.150
 

Solution:

Identity check, user input filtering.