Vendor: Yottamaster
Affected Products:
Vendor Homepage: https://yottamaster.com/
Vendor Contact Information: supports@yottamaster.com
An improper access control vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23). This vulnerability is caused by the lack of directory traversal checks, and can lead to unauthorized file operations through the renaming feature. Attackers can exploit this vulnerability to achieve both horizontal and vertical privilege escalation.
The nnn account used by the attacker was a ordinary user with the lowest privilege.
An attacker can first upload a file to his own personal space. The attacker then used the renaming feature on this file. Enter the content (renamed filename) in the directory traversal format ../{victim's phone number}/filename. Here, the victim can be a user at the same level as the attacker, or a user at a higher level. Here, 188***175 is the account (phone number) of the device owner (the one with the highest privilege).
Ultimately, the file will be successfully transferred from the attacker’s to the victim's personal space. For demonstration purposes, we entered the victim's (device owner's) personal space and can see that the file has been successfully transferred, indicating vertical privilege escalation.
NASchecker