Vendor: ORICO
Affected Product: CD3510 NAS ≤ V1.9.12
Vendor Homepage: https://orico.cc/
Vendor Contact Information: supports@orico.com.cn
An unauthorized file operation vulnerability exists in ORICO CD3510 NAS (firmware version 1.9.12), which is caused by directory traversal. This vulnerability allows low-level ordinary users to remotely upload arbitrary files to the “personal space” of high-level administrators or device owners. This vulnerability can lead to both horizontal and vertical privilege escalation.
The Hacker_test account used by the attacker was a ordinary user with the lowest privilege.
The "Access History" feature allows us to see the Phone Numbers (Accounts) of all users who use this NAS device.
An attacker can first upload a file to his own personal space. The attacker then used the renaming feature on this file. Enter the content in the directory traversal format ../{victim's phone number}/filename. Here, the victim can be a user at the same level as the attacker, or a user at a higher level.
Ultimately, the file will be successfully transferred from the attacker’s to the victim's personal space. For demonstration purposes, we entered the victim's (device owner's) personal space and can see that the file has been successfully transferred, indicating vertical privilege escalation.
NASchecker