Conceptronic Grab'n'Go Network Storage Directory Traversal

`Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage  
  
Severity Rating: High  
Discovery Date: July 29, 2012  
Vendor Notification: July 30, 2012  
Disclosure Date: September 3, 2012  
  
Vulnerability Type=  
Directory Traversal  
  
Impact=  
- System Access  
- Exposure of sensitive information  
  
Severity=  
Alcyon rates the severity of this vulnerability as high due to the following properties:  
- Ease of exploitation;  
- No authentication credentials required;  
- No knowledge about individual victims required;  
- No interaction with the victim required;  
- Number of Internet connected devices found.  
  
Products and firmware versions affected=  
- Conceptronic CH3ENAS firmware versions up to and including 3.0.12  
- Conceptronic CH3HNAS firmware versions up to and including 2.4.13  
- Possibly other rebranded Mapower network storage products  
  
Risk Assessment=  
An attacker can read arbitrary files, including the files that stores the administrative password.  
This means an attacer could:  
- Steal sensitive data stored on the device;  
- Leverage the device to drop and/or host malware;  
- Abuse the device to send spam through the victim’s Internet connection;  
- Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.  
  
Vulnerability=  
The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that   
  
allows an attacker to view arbitrary files.  
  
Proof of Concept Exploit=  
  
curl "http://<victimIP>/cgi-bin/log.cgi?syslog&../../etc/sysconfig/config/webmaster.conf&Conceptronic2009"  
  
Risk Mitigation=  
At the time of disclosure no updated firmware version was available.  
We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT   
  
on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of   
  
exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either   
  
a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin   
  
Policy restrictions of the victim’s web browser.  
  
Vendor Response=  
- 2L/Conceptronic has declared on August 1 that it is not in their power to influence the manufacturer's patching   
  
process  
- Mapower, the manufacturer of the affected products, has contacted us on August 28 for details on reproducing the   
  
issue on a CH3HNAS  
- Mapower has confirmed on August 29 that they succesfully have reproduced the PoC exploit on a CH3HNAS and that they   
  
are working on a fix  
  
Fixed Versions=  
- There is currently no vendor patch available.  
  
=Latest version of this advisory  
http://www.alcyon.nl/advisories/aa-003/  
  
  
`