* Updated to include Sitecom MD-253 and MD254
* Minor textual changes
==
Conceptronic Grab’n’Go and Sitecom Storage Center - Password disclosure
Vulnerability - Security Advisory AA-002
Severity Rating: High
Discovery Date: May 5, 2012
Vendor Notification: May 31, 2012
=Impact
- System Access
- Exposure of sensitive information
=Severity Rating
Alcyon rates the severity of this vulnerability as high due to the following
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.
=Products and firmware versions affected
-Conceptronic CH3ENAS, firmware version 3.0.8 and below
-Conceptronic CH3HNAS, firmware version 2.4.11 and below
-Sitecom MD-253 and MD254, firmware version 2.4.11 and below
Our investigation showed that the mentioned products originate from the
Taiwanese manufacturer Mapower. Possibly other rebranded Mapower network
storage products are also affected by this flaw.
=Risk Assessment
An attacker can harvest administrator credentials and log into the web
management UI. Possibilities include but are not limited to reading and writing
files stored on the device and altering the device’s configuration.
This means an attacker could:
-Steal sensitive data stored on the device;
-Leverage the device to drop and/or host malware;
-Abuse the device to send spam through the victim’s Internet connection;
-Use the device as a pivot point to access locally connected systems or launch
attacks directed to other systems.
An investigation on our part shows that a multitude of affected devices are
directly accessible through the Internet. It appears that this type of
NAS-device is popular amongst small businesses. We have seen examples of video
production companies and copy shops that utilize this device for file sharing
purposes with their customers. Other cases of exposure seem to be
unintentional. Since some ISP’s assign multiple public IP-addresses to their
customers, devices that are connected to the router obtain an Internet-routable
IP-address.
=Vulnerability
The web management UI validates the user’s login credentials through a
JavaScript routine that queries hidden page elements:
function LoginSubmit(){ var data = document.getElementById("Users").value;
data = data.split(":");
var UserName = document.getElementById("UserName").value; var UserPasswd =
document.getElementById("UserPasswd").value;
if((UserName==data[0])&&(UserPasswd==data[1])){
document.cookie = "2L:CH3HNAS"
location.replace ('index.html');
} else {
document.getElementById("UserName").value = '';
document.getElementById("UserPasswd").value = '';
alert(getWord("login_unauthorized"));
setTimeout(function(){
document.getElementById("UserName").focus();},10);
return false;}
}
if(document.cookie.indexOf("2L:CH3ENAS") location.replace ('login.htm');}
While client side validation and relying on a static session token are
weaknesses in themselves (please refer to advisory AA-001), an additional risk
of password disclosure is present in the affected firmware versions.
These hidden elements are populated by two different JavaScript functions found
in login.js:
function Login(){
getContent('','/cgi-bin/login.cgi?webmaster',"function:showLogin");}
function showLogin(msg){
msg = msg.split("\n");
window.document.getElementById('data').innerHTML = '';
setTimeout(function(){document.getElementById("UserName").focus();},10);
}
The getContent function is responsible for querying a URL and passing the
result to the showLogin function. In this case the result of the web request
consists of the username and password of the admin user in clear text form.
=Proof of Concept
Paste the following URL into a web browser’s address bar to obtain the
administrator’s username and password:
http:///cgi-bin/login.cgi?webmaster&1&Conceptronic2009
=Risk Mitigation
Updating your NAS firmware to the latest version will protect you from this
particular attack, but the presence of this type of flaw and the vendors’
responses seem to be an indication for a lack of security awareness on their
part.
Unfortunately, for owners of similar, other branded products originating from
Mapower, a patched firmware version may be unavailable at this time.
We recommend that you limit access to the web management UI of the device by
utilizing proper packet filtering and/or NAT on your router in order to limit
network access to your NAS. Although this will not completely eliminate the
risk of exploitation, it becomes substantially more difficult to leverage a
successful attack, because it would involve either a compromise of another host
on the victim’s local network or a client side attack that overcomes the Same
Origin Policy restrictions of the victim’s web browser.
=Vendor responses
2L/Conceptronic acknowledged the presence of this flaw in the particular model
and firmware version we reported, but did not disclose details on other
products affected. Instead, the same flaw was silently patched in the firmware
of a similar product. Updated firmware is available on the Conceptronics’s
website since July 27, 2012. The vendor did not coordinate the release of this
firmware update with us.
As soon as our investigations pointed out that the affected devices originated
from the Taiwanese manufacturer Mapower, we tried to contact them directly.
Mapower neither has confirmed or denied the reported flaw. Interestingly, the
same fix they provided to 2L/Conceptronic was already present in Sitecom’s
latest firmware and yet they had not notified 2L/Conceptronic about the flaw at
that time. It took Mapower more than 2 months after our initial report to
supply 2L/Conceptronic with the same fix.
=Fixed versions
-Conceptronic CH3ENAS firmware version 3.0.12 available via
http://www.conceptronic.net
-Conceptronic CH3HNAS firmware version 2.4.13 available via
http://www.conceptronic.net
-Sitecom MD-253 and MD-254 firmware version 2.4.17 available via
http://www.conceptronic.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
