SSD Advisory – WiseGiga NAS Multiple Vulnerabilities

Credit to Author: SSD / Maor Schwartz| Date: Tue, 05 Sep 2017 11:11:02 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities summary
The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices.

WiseGiga is a Korean company selling NAS products.

The vulnerabilities found in WiseGiga NAS are:

  • Pre-Authentication Local File Inclusion (4 different vulnerabilities)
  • Post-Authentication Local File Inclusion
  • Remote Command Execution as root
  • Remote Command Execution as root with CSRF
  • Info Leak
  • Default accounts

Credit
An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Vulnerabilities details

Pre-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).

By sending GET request to the following URI’s with filename= as a parameter, an attacker can trigger the vulnerabilities:

  • /webfolder/download_file1.php
  • down_data.php
  • download_file.php
  • mobile/download_file1.php

Proof of Concept

Post-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).

By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability.

Proof of Concept

Remote Command Execution as root
The WiseGiga NAS firmware contain pre.php files in the different directories.

For example:

A “standard” pre.php contains:

Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (“root”) inside the HTTP request:

The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen():

By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands

The WiseGiga NAS run’s the Apache server as root (uid=0 with gid=48 “apache”) hence the commands will execute as root.

Proof of Concept

By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function:

The add_system() function uses global for $group_name and $user_data.

Then it will pass the user controlled input and will run it as root:

An attacker can get unauthenticated RCE as root by sending the following request:

The file /tmp/a will contain:

Remote Command Execution as root with CSRF
There is no CSRF protection in WiseGiga NAS.

An attacker can force the execution of a command as root when the victim visits the malicious website.

Proof of Concept
Once the victim visit the attacker’s website with the following code, the attacker can execute arbitrary commands.

InfoLeak
accessing http://IP/webfolder/config/config.php will disclose the PHP configuration.

Default accounts
Username: guest
Password: guest09#$

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed