Conceptronic Grab’n’Go Network Storage – Directory Traversal

• Exploit Database
• 34 阅读

• 作者： Mattijs van Ommeren
  日期： 2012-09-03
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/21032/

• Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage
  
  Severity Rating: High
  Discovery Date: July 29, 2012
  Vendor Notification: July 30, 2012
  Disclosure Date: September 3, 2012
  
  Vulnerability Type=
  Directory Traversal
  
  Impact=
  - System Access
  - Exposure of sensitive information
  
  Severity=
  Alcyon rates the severity of this vulnerability as high due to the following properties:
  - Ease of exploitation;
  - No authentication credentials required;
  - No knowledge about individual victims required;
  - No interaction with the victim required;
  - Number of Internet connected devices found.
  
  Products and firmware versions affected=
  - Conceptronic CH3ENAS firmware versions up to and including 3.0.12
  - Conceptronic CH3HNAS firmware versions up to and including 2.4.13
  - Possibly other rebranded Mapower network storage products
  
  Risk Assessment=
  An attacker can read arbitrary files, including the files that stores the administrative password.
  This means an attacer could:
  - Steal sensitive data stored on the device;
  - Leverage the device to drop and/or host malware;
  - Abuse the device to send spam through the victim’s Internet connection;
  - Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.
  
  Vulnerability=
  The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that 
  
  allows an attacker to view arbitrary files.
  
  Proof of Concept Exploit=
  
  curl "http://<victimIP>/cgi-bin/log.cgi?syslog&../../etc/sysconfig/config/webmaster.conf&Conceptronic2009"
  
  Risk Mitigation=
  At the time of disclosure no updated firmware version was available.
  We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT 
  
  on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of 
  
  exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either 
  
  a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin 
  
  Policy restrictions of the victim’s web browser.
  
  Vendor Response=
  - 2L/Conceptronic has declared on August 1 that it is not in their power to influence the manufacturer's patching 
  
  process
  - Mapower, the manufacturer of the affected products, has contacted us on August 28 for details on reproducing the 
  
  issue on a CH3HNAS
  - Mapower has confirmed on August 29 that they succesfully have reproduced the PoC exploit on a CH3HNAS and that they 
  
  are working on a fix
  
  Fixed Versions=
  - There is currently no vendor patch available.
  
  =Latest version of this advisory
  http://www.alcyon.nl/advisories/aa-003/