module
Seagate Business NAS Unauthenticated Remote Command Execution
| Disclosed | Created |
|---|---|
| 03/01/2015 | 05/30/2018 |
Disclosed
03/01/2015
Created
05/30/2018
Description
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
Author
OJ Reeves
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/seagate_nas_php_exec_noauth
msf /(h) > show actions
...actions...
msf /(h) > set ACTION < action-name >
msf /(h) > show options
...show and set options...
msf /(h) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.