Remote Code Execution -polls.io

After getting the most recent gadget firmware from the Seagate download page I have begun examining the firmware ZIP document. Inside the ZIP record there was another compacted twofold with the name Seagate-HS-update-201509160008F.img by essentially changing the document expansion to “tar.gz” I had the option to separate the SquashFS record framework that contained the administration application source code, fire up contents and occupied box doubles for the ARM based NAS gadget.

Substance of the firmware update ZIP document

With utilizing the sudo unsquashfs – f – d/media/seagate/tmp/file.squashfs order I have mounted the document framework and begun examining the substance. After a short observation I found the PHP source code for the gadget the executives interface and hopped directly into the source code investigation stage. During the examination I saw that the application was created utilizing the CodeIgniter system. Considering the size of the administration application I straightforwardly began following the most helpless PHP capacities. I have utilized find . – name “*.php” | xargs grep “<function-name>” order for the accompanying rundown of capacities and got a few fascinating information vectors.

executive

shell_exec

framework

passthru

pcntl_exec

popen

proc_open

eval

preg_replace (with/e modifier)

create_function

file_get_contents

file_put_contents

readfile

incorporate

require

require_once

include_once

One of the grep result for “proc_open” demonstrated a call with a few unique factors utilized as boundary inside the ./cirrus/application/partners/mv_backend_helper.php record.

Subject capacity is called inside the mv_backend_launch work witch is likewise situated inside the ./cirrus/application/aides/mv_backend_helper.php document.

work mv_backend_launch($cmd, $noLog = bogus)

{

$desc = cluster(

0 => array(“pipe”,”r”),

1 => array(“pipe”,”w”),

2 => array(“pipe”,”w”)

);

$cwd = ‘./’;

$process = proc_open($cmd,$desc,$pipes,$cwd);

if(is_resource($process))

{

fclose($pipes[0]);

$data =stream_get_contents($pipes[1]);

fclose($pipes[1]);

$errors=stream_get_contents($pipes[2]);

if(strlen(trim($errors))>0)

mv_log_errors($cmd,$errors);

fclose($pipes[2]);

proc_close($process);

in the event that ( ! $noLog ) {

syslog(LOG_INFO, “CMD: ‘$cmd’, RESPONSE: ‘$data'”);

}

return $data;

}

}

In the wake of following back the capacity references I had the option to recognize check_device_name work witch was passing an unsanitized client contribution to the mv_backend_launch work with the $name boundary.

open capacity check_device_name()

{

$info = $this->get_start_info();

$isStart = $info && array_key_exists(‘state’, $info) && $info[‘state’] == ‘start’;

in the event that ( ! $isStart ) {

mv_is_admin();

}

$name = $this->input->post(“name”);

$result = mv_backend_launch(“check_netbios_name.sh $name”);

reverberation header(‘Content-type: text/xml’);

reverberation $result;

}

Here now we have ourselves a capacity with far off code execution weakness. In any case, the issue was this capacity possibly works if the gadget state is set to “start” or probably it requires administrator level access to the application. So we either need to figure out how to change the gadget state without validation or sidestep verification and raise benefits. On account of this issue I returned to examining the source code and found a far and away superior assault vector. While examining the gadget state mechanics I saw that when the gadget is in “start” state it permits the enlistment of new clients so as to perform introductory arrangement of the gadget. At the point when I search for the how the state change activity is performed I found the set_start_info work inside the application/center/MV_BaseController.php document. This capacities sets the gadget state with a JSON post solicitation and gues what? there is no any sort of control 🙂

open capacity reset_start_info()

{

self::save_object_to_file(null, self::START_FILE);

$uri = $_SERVER[‘REQUEST_URI’];

$idx = strpos($uri, ‘index.php’);

in the event that ( $idx !== bogus ) {

$uri = substr($uri, 0, $idx);

}

$uri .= ‘index.php/SCSS’;

header(‘Content-type: text/plain’);

header(“Location: “.$uri, TRUE, 302);

exit();

}

So by basically changing the gadget state to “start” we can add another administrator client to the gadget. Clients inside the gadget are made as a Linux framework client in this way they all have SSH access to the gadget.

Metasploit Module

Up until this point we have distinguished different weaknesses. For the adventure code I like to utilize the subsequent way witch we include another administrator client for building up SSH association. Since setting off opposite/tie shell associations with busybox pairs is hard as far as Metasploit payload similarity. Additionally as a matter of course gadget ports are shut aside from basic administrations, for example, HTTP,HTTPS,SSH,FTP… Since the SSH is empowered as a matter of course and it is beyond the realm of imagination to expect to incapacitate it utilizing the director interface composing the adventure with the subsequent way is the undeniable decision. Furthermore, here is the final product…

Subsequent to revealing this weakness to Seagate we were baffled with the reaction. They originally asserted that “this item was structured and focused for individual home use inside an individual LAN” accordingly has no genuine assault surface. In any case, at that point we demonstrated othervise by giving the quantity of exploitable gadgets open to web utilizing administrations, for example, shodan.io and censys.io. However, it appears they simply couldn’t care less ¯_(ツ)_/¯ We had no desire for any sort of abundance or focuses we simply needed to compose a cool blog entry, the main explanation behind utilizing Bugcrowd stage was, Seagate is just tolerating bug reports by an outer Bugcrowd accommodation structure.

Leave a Reply

Your email address will not be published. Required fields are marked *