[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Conceptronic Grab’n’Go Network Storage and Sitecom Home Storage Center - Authentication Bypass Vulnerability in - AA-001

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Conceptronic Grab’n’Go Network Storage and Sitecom Home Storage Center - Authentication Bypass Vulnerability in - AA-001
From: Mattijs van Ommeren <mattijs@xxxxxxxxx>
Date: Mon, 27 Aug 2012 10:10:50 +0200 (CEST)

Conceptronic Grab’n’Go Network Storage and Sitecom Home Storage Center - 
Authentication Bypass Vulnerability in - AA-001

Severity Rating: High
Discovery Date: May 5, 2012
Vendor Notification: May 31, 2012

=Impact
- System Access
- Exposure of sensitive information

=Severity Rating
Alcyon rates the severity of this vulnerability as high due to the following 
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.

=Products and firmware versions affected
-Conceptronic CH3ENAS, firmware version 3.0.8 and below
-Conceptronic CH3HNAS, firmware version 2.4.11 and below
-Sitecom MD-253, firmware version 2.4.15 and below
-Sitecom MD-254, firmware version 2.4.15 and below

Our investigation showed that the mentioned products originate from the 
Taiwanese manufacturer Mapower. Possibly other re-branded Mapower network 
storage products are affected by the same flaw.

=Risk Assessment
An attacker could instantly gain administrator-level access, including but not 
limited to reading and writing files stored on the device and altering the 
device’s configuration.

This means an attacker could:
-Steal sensitive data stored on the device;
-Leverage the device to drop and/or host malware;
-Abuse the device to send spam through the victim’s Internet connection;
-Use the device as a pivot point to access locally connected systems or launch 
attacks directed to other systems.

An investigation on our part shows that a multitude of affected devices are 
directly accessible through Internet. It appears that this type of NAS-devices 
is popular amongst SMB . We have seen examples of video production companies 
and copy shops that utilize this device for sharing  files with their 
customers.  Other cases of exposure seem unintended. Since some ISP’s assign 
multiple public IP-addresses to their customers, devices that are connected to 
the router obtain an Internet-routable IP-address.

=Vulnerability
The web management UI makes use of a static cookie value to assess whether a 
request is part of an authenticated administrator’s session. The cookie itself 
is evaluated by client side JavaScript code that, in the absence of the magic 
value, redirects the user to the login page:
if(document.cookie.indexOf("2L:CH3ENAS") location.replace ('login.htm');
Since an attacker has complete control over the client he could easily 
circumvent this mechanism by:
-Setting the cookie to the expected value, so the session will handle 
subsequent request as part of an authenticated session;
-Fullifying the session validation routines by means of an intercepting proxy 
or a browser plug-in;
-Forging POST requests directly, e.g. by using WGET, cURL and alike.

=Proof of Concept
Paste and execute the following code into Firefox JavaScript Scratchpad to set 
the magic cookie value to obtain an authenticated, administrator-level session:

var victimIP = '1.2.3.4';
document.location.replace('http://'+victimIP+'/home.htm');
document.cookie="2L:CH3ENAS"
document.location.replace('http://'+victimIP+'/index.html');

This code was tested with a Conceptronic CH3ENAS. Note that the magic value of 
the cookie is different for each brand/model combination.

=Risk Mitigation
Updating your NAS firmware to the latest version will protect you from this 
particular attack, but the presence of this type of flaws and the vendors’ 
responses seem to be an indicator for the lack of security awareness on their 
part.

Aside, for owners of similar, other branded products originating from Mapower, 
a patched firmware version may be unavailable at this time.

We recommend that you limit access to the web management UI of the device by 
utilizing proper packet filtering and/or NAT on your router in order to limit 
network access to your NAS. Although this will not completely eliminate the 
risk of exploitation, it becomes substantially harder to leverage a successful 
attack, because it would involve either compromise of another host on the 
victim’s local network or a client side attack that overcomes the Same Origin 
Policy restrictions of the victim’s web browser.

=Vendor responses
2L/Conceptronic acknowledged the presence of this flaw in the particular model 
and firmware version we reported, but did not disclose details on other 
products affected.  Instead, the same flaw was silently patched in the firmware 
of a similar product. Updated firmware is available on the Conceptronics’s 
website since July 27, 2012. The vendor did not coordinate the release of this 
firmware update with us.

Sitecom appears to have fixed this particular issue in a firmware version dated 
back to December 2011. Note that apparently the flaw was known and fixed prior 
to our report. however it was not disclosed publicly.

As soon as our investigation pointed out that the affected devices all 
originated from the Taiwanese manufacturer Mapower, we tried to contact them 
directly. Mapower neither has confirmed nor denied the reported flaw. 
Interestingly, the same fix they provided to 2L/Conceptronic was already 
present in Sitecom’s latest firmware and yet they did not notify 
2L/Conceptronic about the flaw at that time. Instead, it took Mapower more than 
2 months after our initial report to supply the same fix to 2L/Conceptronic.

=Fixed versions
-Conceptronic CH3ENAS firmware version 3.0.12 available via 
http://www.conceptronic.net
-Conceptronic CH3HNAS firmware version  2.4.13 available via 
http://www.conceptronic.net
-Sitecom MD-253 firmware version 2.4.17 available via http://www.sitecom.com
-Sitecom MD-254 firmware version 2.4.17 available via http://www.sitecom.com

=Latest version of this advisory
http://www.alcyon.nl/index.php/advisories/aa-001/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
Next by Date: [Full-disclosure] Conceptronic Grab’n’Go Network Storage - Password disclosure Vulnerability - AA-002
Previous by thread: [Full-disclosure] Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
Next by thread: [Full-disclosure] Conceptronic Grab’n’Go Network Storage - Password disclosure Vulnerability - AA-002
Index(es):
- Date
- Thread