The best nas for home 201811/12/2022 ![]() ![]() ![]() The daemon takes XML data, parses the request and carries out the action without any authentication, except making sure the request came from 127.0.0.1. Since the web server runs as a non-root user and it had no sudo rights then it was found that the REST API makes calls to a local daemon named oe-spd, which runs on port 2000 bound to 127.0.0.1. Looking at how the web interface (REST API in particular) performed root actions was the next step. That meant we are able to read files and make SSRF requests in any of the below devices. Although LFI was interesting to grab some sensitive files since XML can’t handle binary data it was not possible to dump the SQLite database to get usernames and passwords. The above request caused the xml parser to make a request to our server at 192.168.56.1 for the file XXE_CHECK. An example request is given belowĪccept: text/html,application/xhtml+xml,application/xml q=0.9,*/* q=0.8Ĭontent-Type: application/x-www-form-urlencoded Through this it was possible to read files and perform SSRF attacks. which opened the endpoint to exploitation. This means that the external entity loading was not disabled by default. The version of libxml2 used as a backend in the firmware is an old one. One of those endpoints is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data, although it uses DOMDocument for loading (parsing) the xml which should not be vulnerable to XXE attacks. One of the few exceptions to this were a few endpoints in the REST API interface. All the php files were encrypted using IONCube which has a known public decoder and given the version used was an old one, decoding the files didn’t take long.Īfter decoding the files, most of the API endpoints and the web interface were not accessible without authentication. The web interface has a REST API endpoint and a typical web management interface with a file manager support.Īfter extracting the firmware and decoding the files, the php files were located in /var/and RESTAPIController.php is the main handler for the rest API. The company provides a firmware with a web interface that mainly uses PHP as a serverside language. It’s used in different devices from different vendors, the affected devices sharing the firmware are: ![]() There are nearly 2 million affected devices onlineĬVE-2018-18471 – XXE and Unauthenticated Remote Command Execution in Axentra Hipserv NAS firmware.Īxentra Hipserv is a NAS OS that runs on multiple devices and provides cloud-based login and file storage and management functionalities for different devices.Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.It is our belief that there are many other NAS devices that suffer from similar vulnerabilities as there seems to be a missing pattern of expected from NAS devices.The vulnerabilities allow hackers, governments, or anyone with malicious intention to read files, add/remove users, add/modify existing data, or execute commands with highest privileges on all of the devices.All four NAS devices tested suffer from a zero-day unauthenticated root remote command execution (preauth RCE) vulnerabilities.We successfully gained root remote command execution in the devices, and therefore the network they are on, simply by knowing their IP addresses. Best Parental Control for iPhone & iPad. ![]() IPVanish VPN vs Private Internet Access. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |