lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201601240339.u0O3d0KX022468@sf01web1.securityfocus.com>
Date: Sun, 24 Jan 2016 03:39:00 GMT
From: zemnmez@...glemail.com
To: bugtraq@...urityfocus.com
Subject: Remote shutdown vulnerability in Buffalo NAS (Linkstation 420)

The Buffalo NAS device includes a web interface located at its IP address. A shutdown of the device can be initiated without confirmation by loading the endpoint /shutdown.html on this address. This shutdown powers off the device, requiring physical access to restart.

The shutdown webpage has no special X-Frame-Options set on it, allowing an attacker with the right knowledge to remotely disable the device through an iframe that an admin on the device loads.

I have demonstrated shutting down such a device remotely using STUN to locate the local IP address of the user and iterating on that IP address by requesting the Buffalo logo from these IP addresses. In the case where the user has recently accessed their NAS configuration panel, the logo loads instantly (from cache) and fires the onload event, which in turn triggers an iframe embed which shuts down the device.

Code: https://gist.github.com/venoms/5b5437e25e0bf3b49d0a

In short, the above code will scan for and remotely shutdown all vulnerable Buffalo NAS-s the viewer is authorized to configure in their local network.

Zemnmez

Thanks to Nathaniel "XMPPWocky" Theis for helping me streamline this exploit.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ