lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Apr 2018 02:58:40 +1000 From: matthew f <matthew.e.fulton@...il.com> To: fulldisclosure@...lists.org Subject: [FD] ASUSTOR ADM 3.1.0.RFQ3 and below vulnerabilities Manufacturer: ASUSTOR Model vulnerabilities discovered on: AS6202T Software Version: 3.1.0.RFQ3 and below PoC's have been provided to Asustor, with no response from their security team so far. Mitre had no luck getting a hold of them either as far as i know. As of today (April 27 2018), they've removed a firmware that indicated the vulnerabilities I reported were fixed. More info: https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation PoC exploit to chain several vulnerabilities: https://github.com/mefulton/asustorexploit (no error handling and some cheesy tricks, but wanted to prototype quickly) CVE(s): Unknown Vulnerabilities --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 1 Vulnerability Type: Directory/Path Traversal Attack Vector To exploit the vulnerability an administrative/authoritative user can import files and alter the file system path. It is possible to write anywhere on the system using the directory traversal vulnerability and may lead to code execution or information disclosure. It is possible to obtain terminal level access despite ssh being turned off for instance. Remote/Local? Remote Access Required: Administrative Suggested description Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate file system via the filename parameter. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 2 Vulnerability Type: File Upload Remote/Local? Remote Access Required: Administrative Attack Vector: To exploit the vulnerability an administrative/authoritative user can import files and alter the file system path. It is possible to write anywhere on the system using the directory traversal vulnerability and may lead to code execution or information disclosure. It is possible to obtain terminal level access despite ssh being turned off for instance. Suggested description An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 3 Vulnerability Type: Path Traversal Remote/Local? Remote Access Required: User Attack Vector: To exploit the vulnerability an authenticated user can arbitrarily specify the file on system to download. Suggested description A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 4 Vulnerability Type: Insecure Direct Object Reference Remote/Local: Remote Access Required: User Attack Vector: To exploit the vulnerability an authenticated user can directly reference functions that are not enabled for their user level. Suggested description An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the “download_sys_settings” action and then specify files arbitrarily throughout the system via the act parameter. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerabilities 5&6 Vulnerability Type: File upload & Path traversal Remote/Local: Remote Access Required: User Attack Vector: To exploit the vulnerability an authenticated user can upload files and alter the file system path. It is possible to write anywhere on the system using the directory traversal vulnerability and may lead to code execution or information disclosure. It is possible to obtain terminal level access despite ssh being turned off for instance. Suggested description An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that is then executed. Further the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 7 Vulnerability Type: Persistent Cross Site Scripting (XSS) Remote/Local: Remote Access Required: User Attack Vector: To exploit the vulnerability an authenticated user that has SoundGood provisioned (default install) is able to create a playlist that has a cross site scripting payload that is then stored and persistent. Suggested description An persistent cross site scripting vulnerability in playlistmanger.cgi in ASUSTOR SoundsGood application, allows attackers to store cross site scripting payloads via the POST parameter ‘playlist’. --------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability 8 Vulnerability Type: Path Traversal Remote/Local: Remote Access Required: User Attack Vector: To exploit the vulnerability an authenticated user can arbitrarily specify locations on the file system when creating a folder. Suggested description A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path on the file on the system to create folders via the dest_folder parameter. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists