Seagate NAS Remote Code Execution

Here’s a fun one! Looks like if you have a Seagate NAS device it’s possible to run code as root without having to authenticate!

So how in the world can an attacker whatever code they want on your NAS? Well, it starts with a trio of out of date core technologies. PHP 5.2.13 (released in 2010), CodeIgnitor 2.1.0 (released 2011), and Lighttpd 1.4.28 (released in 2010). Of course, old software doesn’t necessarily mean it’s bad, and in this case,  Lighttpd 1.4.28 is fine and dandy (with the exception that it runs as root). The versions of PHP and CodeIgnitor, in this case, have some issues. Versions of PHP prior to 5.3.4 have an issue that allows users to specify file paths that include a NULL byte, allowing user-controlled data to prematurely terminate file paths. That’s quite a problem, but the version of CodeIgniter they’re using has a doozy of an oversight. Session tokens created by versions prior to 2.2.0 contain a serialized PHP associative array (aka hash) that’s encrypted with a custom algorithm. In this case, that has contains user-controllable data, so it’s pretty trivial to extract the encryption key. As a matter of fact, the key is the same for every device! Once you get the key and decrypt it, obviously you can modify the data until the cows come home and re-encrypt it and be on your way.

That’s cool, so what fun things can we do with these vulnerabilities? Well… it just so happens the web application that the NAS uses doesn’t appear to maintain session info on the server, it’s all stored in the session cookie! That must mean there’s some good stuff in that cookie, right? Correct! Inside that cookie there’s three key/value entries that are of interest to this exploit, username, is_admin, and language. So what makes these fun? Well, once a session has been established and the username field is present in the cookie, the system no longer validates the credentials, so a user can change the field and authenticate as whoever they want. Is the is_admin field really what I think it is? Can I really just change it to yes and self-elevate myself to admin in the web interface? Yes! Yes you can! Ok cool, now what about this language field? Remember the PHP bug I mentioned above? Yeah, that, it’s used to generate a file path of the code we want to execute.

Now we have the pieces, how do we pwn one of these NAS’s? Simple!

  1. Write a php file to the NAS, this can be done by HTTP log file poisoning
  2. Get a session cookie
  3. Modify the language variable so it contains the path of the file you just created
  4. Make a request with this new cookie
  5. ???
  6. Profit.

The author of the article was also nice enough to create a Metasploit module so you can test it for yourself (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb)

There’s currently no fix, although Seagate is very much aware of the issue, and according to one count there’s upwards of 2500 public facing NAS’s that are vulnerable.

-Matt Smicinski

Sources: https://beyondbinary.io/advisory/seagate-nas-rce/

Advertisements