Home »
» Directory Traversal Vulnerability in Sitecom Home Storage Center
Directory Traversal Vulnerability in Sitecom Home Storage Center
Directory Traversal Vulnerability in Sitecom Home Storage Center |
Discovery Date: July 29, 2012 |
Vendor Notification: July 30, 2012 |
Disclosure Date: September 3, 2012 |
- Exposure of sensitive information |
Alcyon rates the severity of this vulnerability as high due to the following properties: |
- No authentication credentials required; |
- No knowledge about individual victims required; |
- No interaction with the victim required; |
- Number of Internet connected devices found. |
Products and firmware versions affected= |
- Sitecom MD-253 firmware version up to and including 2.4.17 |
- Sitecom MD-254 firmware version up to and including 2.4.17 |
- Possibly other rebranded Mapower network storage products |
An attacker can read arbitrary files, including the files that stores the administrative password. |
This means an attacer could: |
- Steal sensitive data stored on the device; |
- Leverage the device to drop and/or host malware; |
- Abuse the device to send spam through the victim’s Internet connection; |
- Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems. |
The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that |
allows an attacker to view arbitrary files. |
Proof of Concept Exploit= |
Paste the following URL into a web browser’s address bar to obtain the administrator’s username and password: |
http://<victimIP>/cgi-bin/info.cgi?syslog&../../etc/sysconfig/config/webmaster.conf |
At the time of disclosure no updated firmware version was available. |
We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT |
on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of |
exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either |
a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin |
Policy restrictions of the victim’s web browser. |
We provide an installable package for Sitecom devices that enables browser based authentication (Basic Auth) as an |
effective workaround for this and future web management UI vulnerabilities. For details refer to |
http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/ |
- Sitecom has reported on August 2 that they are working with the manufacturer to verify the vulnerability |
- Sitecom has confirmed on August 28 that the manufacturer is working on a fix |
- There is currently no vendor patch available. |
- A third party patch is provided by Alcyon. See: http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk- |
=Latest version of this advisory |
http://www.alcyon.nl/advisories/aa-004/ |
0 comentários:
Postar um comentário