Vendor of Product: TRENDnet

Affected Product and Version: TRENDnet TN-200 1.02b02

Description: In TRENDnet TN-200 NAS device 1.02b02, there is a insecure configuration vulnerability. The bundled Lighttpd configuration contains a hardcoded weak secdownload.secret value. The secret is used to generate access-controlled download URLs. When a fixed and publicly visible secret is used, remote attackers can forge valid secure download links and gain unauthorized access to protected files within the NAS system.

Detail:

In the TRENDnet TN-200 firmware, the partial content of the Lighttpd configuration file is as follows.

server.modules = ( ..., "mod_secdownload", ... )
secdownload.secret = "neV3rUseMe"
secdownload.document-root = "/mnt/"
secdownload.uri-prefix = "/sdownload/"
secdownload.timeout = 7200

The weak secret key neV3rUseMe is statically defined in the firmware image. Since the firmware is publicly downloadable and can be reverse-engineered, the secret can be recovered by any remote attacker.

Obviously, there is a insecure configuration here. The bundled Lighttpd configuration contains a hardcoded weak secdownload.secret value. The secret is used to generate access-controlled download URLs. When a fixed and publicly visible secret is used, remote attackers can forge valid secure download links and gain unauthorized access to protected files within the NAS system. This misconfiguration can be exploited by crafting valid download URLs, potentially bypassing intended access control, and retrieving files from the internal storage. This could lead to information disclosure and unauthorized file access.