[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJWuhbnf5wVeH327AF-aKy2=GEsXU3ukLYNxGFQ5WVvWs50L3A@mail.gmail.com>
Date: Sun, 29 Apr 2018 02:58:40 +1000
From: matthew f <matthew.e.fulton@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ASUSTOR ADM 3.1.0.RFQ3 and below vulnerabilities
Manufacturer: ASUSTOR
Model vulnerabilities discovered on: AS6202T
Software Version: 3.1.0.RFQ3 and below
PoC's have been provided to Asustor, with no response from their security
team so far. Mitre had no luck getting a hold of them either as far as i
know.
As of today (April 27 2018), they've removed a firmware that indicated the
vulnerabilities I reported were fixed.
More info:
https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation
PoC exploit to chain several vulnerabilities:
https://github.com/mefulton/asustorexploit (no error handling and some
cheesy tricks, but wanted to
prototype quickly)
CVE(s): Unknown
Vulnerabilities
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 1
Vulnerability Type: Directory/Path Traversal
Attack Vector
To exploit the vulnerability an administrative/authoritative user can
import files and alter the file system path. It is possible to write
anywhere on the system using the directory traversal vulnerability and may
lead to code execution or information disclosure. It is possible to obtain
terminal level access despite ssh being turned off for instance.
Remote/Local? Remote
Access Required: Administrative
Suggested description
Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3
allows attackers to navigate file system via the filename parameter.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 2
Vulnerability Type: File Upload
Remote/Local? Remote
Access Required: Administrative
Attack Vector:
To exploit the vulnerability an administrative/authoritative user can
import files and alter the file system path. It is possible to write
anywhere on the system using the directory traversal vulnerability and may
lead to code execution or information disclosure. It is possible to obtain
terminal level access despite ssh being turned off for instance.
Suggested description
An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR
AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a
specified filename. This can be used to place attacker controlled code on
the file system that is then executed.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 3
Vulnerability Type: Path Traversal
Remote/Local? Remote
Access Required: User
Attack Vector:
To exploit the vulnerability an authenticated user can arbitrarily specify
the file on system to download.
Suggested description
A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM
3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to
download via the file1 parameter.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 4
Vulnerability Type: Insecure Direct Object Reference
Remote/Local: Remote
Access Required: User
Attack Vector:
To exploit the vulnerability an authenticated user can directly reference
functions that are not enabled for their user level.
Suggested description
An insecure direct object reference vulnerability in download.cgi in
ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the
“download_sys_settings” action and then specify files arbitrarily
throughout the system via the act parameter.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerabilities 5&6
Vulnerability Type: File upload & Path traversal
Remote/Local: Remote
Access Required: User
Attack Vector:
To exploit the vulnerability an authenticated user can upload files and
alter the file system path. It is possible to write anywhere on the system
using the directory traversal vulnerability and may lead to code execution
or information disclosure. It is possible to obtain terminal level access
despite ssh being turned off for instance.
Suggested description
An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T
ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST
parameter filename. This can be used to place attacker controlled code on
the file system that is then executed. Further the filename parameter is
vulnerable to path traversal and allows the attacker to place the file
anywhere on the system.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 7
Vulnerability Type: Persistent Cross Site Scripting (XSS)
Remote/Local: Remote
Access Required: User
Attack Vector:
To exploit the vulnerability an authenticated user that has SoundGood
provisioned (default install) is able to create a playlist that has a cross
site scripting payload that is then stored and persistent.
Suggested description
An persistent cross site scripting vulnerability in playlistmanger.cgi in
ASUSTOR SoundsGood application, allows attackers to store cross site
scripting payloads via the POST parameter ‘playlist’.
---------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability 8
Vulnerability Type: Path Traversal
Remote/Local: Remote
Access Required: User
Attack Vector:
To exploit the vulnerability an authenticated user can arbitrarily specify
locations on the file system when creating a folder.
Suggested description
A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM
3.1.0.RFQ3 allows attackers to arbitrarily specify a path on the file on
the system to create folders via the dest_folder parameter.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists