HackDig : Dig high-quality web security articles for hacker

Seagate Central NAS vulnerabilities

2015-10-19 22:35
I have contacted Seagate regarding the following and was twice informed of
a 90-day window for disclosure. I followed up to no response and have
decided, following the culmination of those 90-days, to publish.

The fact that embedded devices are vulnerable is not new. This is really
not newsworthy, but perhaps we can aim higher? The Central NAS is not
Seagate’s most popular model, but it does share code with other, more
popular products such as the BlackArmor range.

Vulnerabilities:

- Web application allows unauthorized modification of IP address and
hostname.
- World-writable system files allow local users to compromise
configuration and perform local privilege escalation. (I’ve been informed
an updated firmware patch “somewhat” mitigates this, but is unconfirmed)
- Common root password is set on all devices and /etc/shadow is
world-readable.
- Firmware updates are vulnerable to a MITM attack. These are performed
over plain HTTP and are not signed, allowing attackers to readily deliver
malicious payloads.
- The NAS supports multi-user / multi-tenant operation. The files of
these users are all set, by default, to mode 777. Users are given SSH
access and may readily access and modify each other’s files.
- The device exposes a phpinfo() page to unauthorized users (information
disclosure).


These issues were really low-hanging-fruit. I’m certain a number of
remaining issues have yet to be discovered here, but for myself, I’m done.

Finally, see the following blog post for more detail and a timeline of
communications with the vendor:

--
https://medium.com/@ewindisch/seagate-central-nas-vulnerabilities-4b78114c9d0b


Regards,
Eric Windisch

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 08/tcO/5102/erusolcsidlluf/gro.stsilces

Read:4653 | Comments:0 | Tags:No Tag

“Seagate Central NAS vulnerabilities”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud