Seagate's Business Storage 2-Bay NAS product, found inward domicile too trouble concern networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet.
Seagate is i of the world’s largest vendor of hardware solutions, alongside products available worldwide. After Western Digital, Seagate ranked minute too holds 41% of the marketplace worldwide inward supplying storage hardware products.
A safety researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on seventh Oct final twelvemonth and, reported to the society totally inward the white lid style. But fifty-fifty subsequently 130 days of responsible disclosure, the zero-day põrnikas remains unpatched till now.
In lodge to exploit the vulnerability, an assaulter needs to live on the same network equally the vulnerable device which gives the assaulter rootage access of the vulnerable device, without the demand of a valid login. Reeves likewise released a python exploit along alongside its Metasploit module version which is available on Github.
ORIGIN OF ZERO-DAY VULNERABILITY
Seagate's Business Storage 2-Bay NAS products come upward alongside a web-enabled management application that lets administrators to perform device configuration functions such equally adding users, setting upward access control, managing files, too more.
This spider web application is built alongside iii center technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 too Lighttpd version 1.4.28, which are all out-dated versions.
- PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled information to prematurely terminate file paths, allowing for total command over the file extension.
- CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an assaulter to extract the encryption fundamental too decrypt the content of the cookie. Once decrypted, assaulter tin privy alter the content of the cookie too re-encrypt it prior to submitting it dorsum to the server.
The custom spider web application authenticate the login user based upon browser cookies, having iii parameters:
- username: logged inward user name
- is_admin: user is admin or non i.e. Yes or No
- language: chosen linguistic communication (eg. en_US)
Researcher explained that at that spot is no farther validation of user credentials at server-end, i time username cookie is established, which could live impersonated easily yesteryear an attacker.
Another parameter 'is_admin' tin privy live manipulated to 'Yes' value that allows the assaulter to self-elevate to administrative privileges inward the spider web application itself.
"The fact that a static session encryption fundamental is inward utilization across all instances of the NAS way that i time a user has a valid session cookie on i instance, they tin privy apply that same cookie lead to roughly other event too larn the same grade of access. In short, i time a user is logged inward equally admin on i instance, they’re effectively admin on every instance," Reeves explained inward an advisory.
The linguistic communication parameter tin privy live manipulated for exploitation of a local file inclusion vulnerability. At last, the spider web application is beingness executed yesteryear an event of Lighttpd which is running nether the context of the rootage user.
When an assaulter makes a asking alongside the manipulated cookie, it results inward arbitrary code execution equally rootage user. Therefore, successful exploitation of this vulnerability could outcome inward taking consummate command of the vulnerable device equally a rootage user.
VULNERABLE PRODUCTS
Two unlike network storage devices made yesteryear Seagate were tested too found to live vulnerable. The latest Seagate NAS firmware version listed below are affected yesteryear this zero-day vulnerability:
- Business Storage 2-Bay NAS version 2014.00319
- Business Storage 2-Bay NAS version 2013.60311
However, Reeves believes that all versions of Business Storage 2-Bay NAS production prior to 2014.00319 are affected yesteryear the same vulnerability.
METASPLOIT MODULE AVAILABLE
A Metasploit module too a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the next tasks:
- Connects to the vulnerable NAS device too extracts a ci_session cookie.
- Decrypts the cookie using the static encryption fundamental too extracts the PHP hash.
- Modifies the serialized PHP hash hence that the username is laid to 'admin' too the is_admin land is laid to 'yes'.
- Encrypts this updated PHP hash gear upward for farther utilization equally a ci_session cookie, which allows futurity requests to operate on the NAS equally if they were an administrator.
- Performs a asking to extract the host configuration, which includes the device's description.
- Modifies the host configuration hence that the device description contains a modest stager payload.
- Performs a asking to update the host configuration alongside the novel information hence that the stager payload is written to /etc/devicedesc.
- Modifies the PHP hash i time again hence that the linguistic communication parameter contains the value ../../../../etc/devicedesc\x00.
- Encrypts this novel PHP hash gear upward for futurity utilization equally a ci_session cookie.
- Performs a asking to the NAS using the cookie created inward the previous step, which invokes the stager that was written to disk. This asking posts a larger payload which is written to disk nether the spider web server root.
- Performs roughly other asking which hence resets the host configuration dorsum to what it was prior to exploitation.
According to Reeves, at that spot was no updated firmware version available for download that contains patches for the issues, fifty-fifty subsequently contacting the society multiple times.
Users of Seagate's Business Storage NAS products too and other products using vulnerable firmware are recommended to ensure that their devices are non accessible via Earth Internet too that the devices live located behind a firewall configured to allow alone a trusted laid of IP addresses to connect to the spider web interface.
