Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage Severity Rating: High Discovery Date: July 29, 2012 Vendor Notification: July 30, 2012 Disclosure Date: September 3, 2012 Vulnerability Type= Directory Traversal Impact= - System Access - Exposure of sensitive information Severity= Alcyon rates the severity of this vulnerability as high due to the following properties: - Ease of exploitation; - No authentication credentials required; - No knowledge about individual victims required; - No interaction with the victim required; - Number of Internet connected devices found. Products and firmware versions affected= - Conceptronic CH3ENAS firmware versions up to and including 3.0.12 - Conceptronic CH3HNAS firmware versions up to and including 2.4.13 - Possibly other rebranded Mapower network storage products Risk Assessment= An attacker can read arbitrary files, including the files that stores the administrative password. This means an attacer could: - Steal sensitive data stored on the device; - Leverage the device to drop and/or host malware; - Abuse the device to send spam through the victim’s Internet connection; - Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems. Vulnerability= The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that allows an attacker to view arbitrary files. Proof of Concept Exploit= curl "http://<victimIP>/cgi-bin/log.cgi?syslog&../../etc/sysconfig/config/webmaster.conf&Conceptronic2009" Risk Mitigation= At the time of disclosure no updated firmware version was available. We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin Policy restrictions of the victim’s web browser. Vendor Response= - 2L/Conceptronic has declared on August 1 that it is not in their power to influence the manufacturer's patching process - Mapower, the manufacturer of the affected products, has contacted us on August 28 for details on reproducing the issue on a CH3HNAS - Mapower has confirmed on August 29 that they succesfully have reproduced the PoC exploit on a CH3HNAS and that they are working on a fix Fixed Versions= - There is currently no vendor patch available. =Latest version of this advisory http://www.alcyon.nl/advisories/aa-003/Брой прочитания на тази страница: 1171
Conceptronic Grab’n’Go Network Storage Directory Traversal