Advisory: Buffalo LinkStation Authentication Bypass An authentication bypass vulnerability in the web interface of a Buffalo LinkStation Duo Network Attached Storage (NAS) device allows unauthenticated attackers to gain administrative privileges. This puts the confidentiality and integrity of the stored data as well as the integrity of the device configuration at high risk. Details ======= Product: Buffalo LinkStation Duo (LS-WXL), LS-CHL(v2), LS-XHL, LS-WVL, LS-WSX, LS-VL, LS-QVL, LS-XL Affected Versions: 1.34, 1.69, 1.70 Fixed Version: 1.71 Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: http://ift.tt/WKmbtL Vendor Status: fixed version released Advisory URL: http://ift.tt/1hswhw3 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://ift.tt/1jQGmEN Introduction ============ LinkStation is a brand name of Network Attached Storage (NAS) devices manufactured by the Japanese company Buffalo. The stored data can be accessed via several protocols such as SMB, FTP, AFP and HTTP. A web interface is provided for management purposes. More Details ============ The web interface can be reached via HTTP in a web browser. On opening the web interface the user is first presented a login screen where a username and a password must be supplied. On submission, an HTTP POST request is performed by the browser: POST /dynamic.pl HTTP/1.1 Host: 192.168.1.2 [...] bufaction=verifyLogin&user=RedTeam&password=Pentesting In the request above, the username "RedTeam" and the password "Pentesting" were supplied. The chosen credentials are invalid as no user with that name exists. The application responds with a JSON-type reply: HTTP/1.0 200 OK [...] { "data": [ { "pageMode": 2, "sid": "5e0f9249a6cc5137d051514c47b2bb9b" } ], "errors": [], "success": false } On the contrary, if valid credentials of an administrative account are supplied, a reply similar to the following is received: HTTP/1.0 200 OK [...] { "data": [ { "pageMode": 0, "sid": "b9466fbff0c2f277449015d6e110b173" } ], "errors": [], "success": true } It was found that in both cases valid session IDs are generated and only the client-side JavaScript web interface restricts their usage. This is triggered by the key "success" within the reply. If the field is set to "false", an error is reported and the user is asekd to authenticate again. Otherwise, the user is allowed to use the web interface. Furthermore, the administrative functions are restricted only on the client-side as well. The key "pageMode" was found to be one of the three integers representing the type of the user account: 0 - administrator 1 - regular user without administrative privileges 2 - guest user without any privileges Thus, an attacker may simply provide invalid credentials while tampering the keys "success" and "pageMode" of the reply in transit (for example by using a proxy). The attacker may then use the web interface as an administrative user from the browser. Alternatively, a valid session ID may be requested using invalid credentials and then used directly to execute privileged operations by sending the appropriate POST requests. This eliminates the need for tampering the returned JSON-data. Such an attack is implemented in the Proof of Concept section. Proof of Concept ================ The following Python script exploits the described vulnerability and sets the password of the "admin"-account to an attacker supplied value.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment