Security Advisory AA-001

Authentication Bypass Vulnerability in Conceptronic Grab’n’Go Network and Sitecom Home Storage Center

Security Advisory AA-002

Password disclosure Vulnerability in Conceptronic Grab’n’Go and Sitecom Home Storage Center

Security Advisory AA-003

Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage (0-day)

Security Advisory AA-004

Directory Traversal Vulnerability in Sitecom Home Storage Center

Security Advisory AA-005

Authorization Bypass Vulnerability in Password Reset Function Conceptronic Grab’n’Go Network Storage (0-day)

Security Advisory AA-006

Authorization Bypass Vulnerability in Password Reset Function Sitecom Home Storage Center

Security Advisory AA-007

Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center

Security Advisory AA-008

Command Injection Vulnerability in Sitecom Home Storage Center

Responsible Disclosure

acunetix-wvs-test-for-some-inexistent-file

Hello sk1dd13!

Privacy Policy

Security Advisory AA-001: Authentication Bypass Vulnerability in Conceptronic Grab’n’Go and Sitecom Home Storage Center

Vulnerability Type

Authentication bypass

Severity

Alcyon rates the severity of this vulnerability as high due to the following properties:

  • Ease of exploitation;
  • No authentication credentials required;
  • No knowledge about individual victims required;
  • No interaction with the victim required;

Products and firmware versions affected

  • Conceptronic CH3ENAS, firmware version 3.0.8 and below
  • Conceptronic CH3HNAS, firmware version 2.4.11 and below
  • Sitecom MD-253, firmware version 2.4.15 and below
  • Sitecom MD-254, firmware version 2.4.15 and below

Our investigation showed that the mentioned products originate from the Taiwanese manufacturer Mapower. Possibly other re-branded Mapower network storage products are affected by the same flaw.

Dates

  • Discovery on May 5, 2012
  • Vendor notification on May 31, 2012
  • Fix available since July 27, 2012
  • Public disclosure on August 27, 2012

Risk Assessment

An attacker could instantly gain administrator-level access, including but not limited to reading and writing files stored on the device and altering the device’s configuration.

This means an attacker could:

  • Steal sensitive data stored on the device;
  • Leverage the device to drop and/or host malware;
  • Abuse the device to send spam through the victim’s Internet connection;
  • Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.

An investigation on our part shows that a multitude of affected devices are directly accessible through Internet. It appears that this type of NAS-devices is popular amongst SMB . We have seen examples of video production companies and copy shops that utilize this device for sharing files with their customers. Other cases of exposure seem unintended. Since some ISP’s assign multiple public IP-addresses to their customers, devices that are connected to the router obtain an Internet-routable IP-address.

Vulnerability

The web management UI makes use of a static cookie value to assess whether a request is part of an authenticated administrator’s session. The cookie itself is evaluated by client side JavaScript code that, in the absence of the magic value, redirects the user to the login page:

if(document.cookie.indexOf("2L:CH3ENAS")
  location.replace ('login.htm');

Since an attacker has complete control over the client he could easily circumvent this mechanism by:

  • Setting the cookie to the expected value, so the session will handle subsequent request as part of an authenticated session;
  • Nullifying the session validation routines by means of an intercepting proxy or a browser plug-in;
  • Forging POST requests directly, e.g. by using WGET, cURL and alike.

Proof of Concept

Paste and execute the following code into Firefox JavaScript Scratchpad to set the magic cookie value to obtain an authenticated, administrator-level session:

var victimIP = '1.2.3.4';
document.location.replace('http://'+victimIP+'/home.htm');
document.cookie="2L:CH3ENAS"
document.location.replace('http://'+victimIP+'/index.html');

This code was tested with a Conceptronic CH3ENAS. Note that the magic value of the cookie is different for each brand/model combination.

Risk Mitigation

Updating your NAS firmware to the latest version will protect you from this particular attack, but the presence of this type of flaws and the vendors’ responses seem to be an indicator for the lack of security awareness on their part.

Aside, for owners of similar, other branded products originating from Mapower, a patched firmware version may be unavailable at this time.

We recommend that you limit access to the web management UI of the device by utilizing proper packet filtering and/or NAT on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of exploitation, it becomes substantially harder to leverage a successful attack, because it would involve either compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin Policy restrictions of the victim’s web browser.

Vendor responses

2L/Conceptronic acknowledged the presence of this flaw in the particular model and firmware version we reported, but did not disclose details on other products affected. Instead, the same flaw was silently patched in the firmware of a similar product. Updated firmware is available on the Conceptronics’s website since July 27, 2012. The vendor did not coordinate the release of this firmware update with us.

Sitecom appears to have fixed this particular issue in a firmware version dated back to December 2011. Note that apparently the flaw was known and fixed prior to our report (see Background). however it was not disclosed publicly.

As soon as our investigation pointed out that the affected devices all originated from the Taiwanese manufacturer Mapower, we tried to contact them directly. Mapower neither has confirmed nor denied the reported flaw. Interestingly, the same fix they provided to 2L/Conceptronic was already present in Sitecom’s latest firmware and yet they did not notify 2L/Conceptronic about the flaw at that time. Instead, it took Mapower more than 2 months after our initial report to supply the same fix to 2L/Conceptronic.

Credits

This flaw has been discovered independently in October 2011 by TobiNas and was mentioned on the NAS-Central forum. He has created a Youtube clip showing how to exploit the vulnerability to gain access to a Sitecom MD-253 device using merely a web browser.

Fixed Versions