科技动态

SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

微信扫一扫,分享到朋友圈

SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

Vulnerabilities Summary

An ASUSTOR NAS or network attached storage is “a computer appliance built from the ground up for storing and serving files. It attaches directly to a network, allowing those on the network to access and share files from a central location”. In the following advisory we will discuss a vulnerability found inside ASUSTOR NAS which lets anonymous attackers bypass authentication requirement of the product.

Credit

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems

ASUSTOR NAS devices running ADM version 3.0.5.RDU1 and prior

Vulnerability Details

The vulnerability lies in the web interface of ASUSTOR NAS, in the file located in /initial/index.cgi, which responsible for initializing the device with your ASUSTOR ID. The problem is that this file is always available even after the first initialization, and it doesn’t require any authentication at all.

So by abusing /initial/index.cgi?act=register, you’ll be logged in with the administrator privileges without any kind of authentication.

How to Exploit

Visit:

http://:/initial/index.cgi?act=register

(Port will probably be 8800)

Check “Register later”, click on next, and press the “Start” button. You’ll be redirected to /portal/index.cgi with a sid parameter, bypassing the authentication, and accessing the web interface with admin privileges.

内容风口,如何不再错失机会?

上一篇

Traditional retailers needs digital transformation to keep up with consumers

下一篇

你也可能喜欢

评论已经被关闭。

插入图片

热门栏目

SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

长按储存图像,分享给朋友