Security Advisory AA-001

Authentication Bypass Vulnerability in Conceptronic Grab’n’Go Network and Sitecom Home Storage Center

Security Advisory AA-002

Password disclosure Vulnerability in Conceptronic Grab’n’Go and Sitecom Home Storage Center

Security Advisory AA-003

Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage (0-day)

Security Advisory AA-004

Directory Traversal Vulnerability in Sitecom Home Storage Center

Security Advisory AA-005

Authorization Bypass Vulnerability in Password Reset Function Conceptronic Grab’n’Go Network Storage (0-day)

Security Advisory AA-006

Authorization Bypass Vulnerability in Password Reset Function Sitecom Home Storage Center

Security Advisory AA-007

Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center

Security Advisory AA-008

Command Injection Vulnerability in Sitecom Home Storage Center

Responsible Disclosure

acunetix-wvs-test-for-some-inexistent-file

Hello sk1dd13!

Privacy Policy

Security Advisory AA-004: Directory Traversal Vulnerability in Sitecom Home Storage Center

Severity Rating: High
Discovery Date: July 29, 2012
Vendor Notification: July 30, 2012
Disclosure Date: September 3, 2012
Fix Date: September 29, 2012

Vulnerability Type

Directory Traversal

Impact

  • System Access
  • Exposure of sensitive information

Severity

Alcyon rates the severity of this vulnerability as high due to the following properties:

  • Ease of exploitation;
  • No authentication credentials required;
  • No knowledge about individual victims required;
  • No interaction with the victim required;
  • Number of Internet connected devices found.

Products and firmware versions affected

  • Sitecom MD-253 all firmware version up to and including 2.4.17
  • Sitecom MD-254 all firmware version up to and including 2.4.17
  • Possibly other rebranded Mapower network storage products

Risk Assessment

An attacker can read arbitrary files, including the files that stores the administrative password. This means an attacer could:

  • Steal sensitive data stored on the device;
  • Leverage the device to drop and/or host malware;
  • Abuse the device to send spam through the victim’s Internet connection;
  • Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.

Vulnerability

The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that allows an attacker to view arbitrary files.

Proof of Concept Exploit

paste the following link into a web browser's address bar:

http://<victimIP>/cgi-bin/info.cgi?syslog&../../etc/sysconfig/config/webmaster.conf

Risk Mitigation

Install the latest firmware version. We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin Policy restrictions of the victim’s web browser.

Vendor responses

  • Sitecom has reported on August 2 that they are working with the manufacturer to verify the vulnerability.
  • Sitecom has confirmed on August 28 that the manufacturer is working on a fix.
  • Mapower, the manufacturer of the affected Sitecom products has on August 29 confirmed our findings on a different product (see Security Advisory AA-003), however has not explicitly confirmed the presence of the flaw in the Sitecom NAS.

Fixed versions

  • Firmware version 2.4.21