During an internal infrastructure test last year, we identified a Network Attached Storage (NAS) device that piqued our interest, primarily due to the administration web page being served over HTTP and not HTTPS. Generally not a good sign from a security point of view!
A few moments later and with access to the device granted through the use of default administrator password (admin | admin) we had the opportunity to take a look around the management portal and in a short amount of time, we were able to identify a number of interesting security vulnerabilities. Of note would be disclosure of the domain account in use within the enterprise and the ability to conduct OS command injection attacks against the device itself.
The device in question is the Thecus NAS Server, version N8800 running Firmware 5.03.01.
It should be noted that the default configuration for the device allows for the administrative interface to be available via HTTP. This makes it possible to intercept and manipulate the traffic between a device operator and the device. The credentials submitted to the administrative interface would be vulnerable and would be intercepted and read by a well-positioned malicious agent. During further investigations, we have identified over 100 devices running this version of the Thecus NAS with Internet facing access enabled, therefore increasing the potential attack surface against this type of device.
The following two vulnerabilities were of particular note.
- Domain account password disclosure (CVE-2013-5668).
- OS Command Injection (CVE-2013-5667).
Domain account password disclosure
After gaining access to the device’s configuration webpage, it was possible to see credentials configured on the NAS. They were stored in plain text and were shown in the webpage’s source. The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Any user who has access to this page is able to retrieve the ADS/NT administrator ID and password. This could enable an attacker to gain access to the domain hosting the storage server.
OS Command Injection
The issue exists because the application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.
Proof of Concept
We have generated a proof of concept (PoC) to prove the existence of this issue. Firstly to baseline how the device handles requests, we will use the following valid request:
Which generates the following response:
Command Injection PoC:
1. Write string for user admin to /tmp
2. Read value from /tmp
The response shows that we have been able to directly execute OS level commands. In our proof of concept, the string ‘sales’ (1456) was written to the /tmp directory of the NAS device. In step two this value is then able to be recalled from the /tmp file, proving that we are able to execute commands. This type of vulnerability could enable an attacker to gain full control of the device.
Back in August 2013, we engaged with Thecus to raise three security issues. Since that point, we have tried on multiple occasions to engage with Thecus to help them understand these issues. Unfortunately this has not been successful and the lack of engagement from Thecus is disappointing with all communication handled though their generic support system.
The responses received to our questions suggested a lack of security awareness and understanding of the potential impact to Thecus’ customers. The support team has also failed to understand that the issues raised could impact on multiple platforms and not just the single device / firmware version that we were able to identify. They have also not asked any further questions that would help them in gaining this understanding.
After sending the following message to the support team, the ticket was closed by Thecus:
“We raised this issue 73 days ago with you. As the issues are security related, we would look to issue public advisories as soon as patches or work arounds are available and as such would prefer to coordinate any notification with you.”
The closure of the ticket, suggests that Thecus does not wish to engage in any further discussion on the security issues identified or work with our organisation in the managed disclosure of the vulnerabilities. After this point we started working with the CERT Coordination Center (CERT/CC) to progress this issue. CERT/CC has not recieved any communication from Thecus on this matter. Details of these vulnerabilities have now been released as part of their responsible disclosure policy.
At the time of publishing this blog, there are still no security updates from Thecus. For users of the vulnerable platform, we would recommend that users change default credentials and configure the device to use HTTPS only. Further to this and due to the potential for OS command injection, we would advice that network level filtering be implemented to restrict access to the device.
On the 28th January, Thecus made further contact with our team to advise of fixes to the vulnerable firmware and provided the following response:
“Thanks to your detailed emails, we have released an updated version of our firmware for units running ThecusOS 5 (please see links below) and will be providing similar updates to our ThecusOS 6 models within a month (updates for OS 6 can be automatically downloaded and installed via the UI).”
ThecusOS 5 (32 bit):
ThecusOS 5 (64 bit):
“Again, please accept our thanks for your engagement and patience, you have our sincere gratitude.”