[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Remote shutdown vulnerability in Buffalo NAS (Linkstation 420)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Remote shutdown vulnerability in Buffalo NAS (Linkstation 420)
From: zemnmez@xxxxxxxxxxxxxx
Date: Sun, 24 Jan 2016 03:39:00 GMT

The Buffalo NAS device includes a web interface located at its IP address. A 
shutdown of the device can be initiated without confirmation by loading the 
endpoint /shutdown.html on this address. This shutdown powers off the device, 
requiring physical access to restart.

The shutdown webpage has no special X-Frame-Options set on it, allowing an 
attacker with the right knowledge to remotely disable the device through an 
iframe that an admin on the device loads.

I have demonstrated shutting down such a device remotely using STUN to locate 
the local IP address of the user and iterating on that IP address by requesting 
the Buffalo logo from these IP addresses. In the case where the user has 
recently accessed their NAS configuration panel, the logo loads instantly (from 
cache) and fires the onload event, which in turn triggers an iframe embed which 
shuts down the device.

Code: https://gist.github.com/venoms/5b5437e25e0bf3b49d0a

In short, the above code will scan for and remotely shutdown all vulnerable 
Buffalo NAS-s the viewer is authorized to configure in their local network.

Zemnmez

Thanks to Nathaniel "XMPPWocky" Theis for helping me streamline this exploit.

Prev by Date: ZyXel WAP3205 v1 Multiple XSS
Next by Date: PHP-FPM fpm_log.c memory leak and buffer overflow
Previous by thread: ZyXel WAP3205 v1 Multiple XSS
Next by thread: PHP-FPM fpm_log.c memory leak and buffer overflow
Index(es):
- Date
- Thread