lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAAZDpLfnoNUT=bUWxx=vJdy=F_HyRsMLrn10tAiW_HqTtiWTDA@mail.gmail.com>
Date: Mon, 19 Oct 2015 12:21:31 -0400
From: Eric Windisch <eric@...disch.us>
To: fulldisclosure@...lists.org
Subject: [FD] Seagate Central NAS vulnerabilities

I have contacted Seagate regarding the following and was twice informed of
a 90-day window for disclosure. I followed up to no response and have
decided, following the culmination of those 90-days, to publish.

The fact that embedded devices are vulnerable is not new. This is really
not newsworthy, but perhaps we can aim higher? The Central NAS is not
Seagate’s most popular model, but it does share code with other, more
popular products such as the BlackArmor range.

Vulnerabilities:

   - Web application allows unauthorized modification of IP address and
   hostname.
   - World-writable system files allow local users to compromise
   configuration and perform local privilege escalation. (I’ve been informed
   an updated firmware patch “somewhat” mitigates this, but is unconfirmed)
   - Common root password is set on all devices and /etc/shadow is
   world-readable.
   - Firmware updates are vulnerable to a MITM attack. These are performed
   over plain HTTP and are not signed, allowing attackers to readily deliver
   malicious payloads.
   - The NAS supports multi-user / multi-tenant operation. The files of
   these users are all set, by default, to mode 777. Users are given SSH
   access and may readily access and modify each other’s files.
   - The device exposes a phpinfo() page to unauthorized users (information
   disclosure).


These issues were really low-hanging-fruit. I’m certain a number of
remaining issues have yet to be discovered here, but for myself, I’m done.

Finally, see the following blog post for more detail and a timeline of
communications with the vendor:

-- 
https://medium.com/@ewindisch/seagate-central-nas-vulnerabilities-4b78114c9d0b


Regards,
Eric Windisch

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ