Invading Your Personal Cloud — ISE Labs Exploits the Seagate stcr3000101
10 CVEs awarded to ISE Labs for new vulnerabilities.
This post details the vulnerabilities discovered by ISE Labs affecting the Seagate Personal Cloud stcr3000101, OS version 4.3.15.1. For a more detailed and in-depth look at these vulnerabilities, please see our other blog posts and live streams. A livestream covering the authentication mechanism is available here, and more blogs focused on leveraging these vulnerabilities will be posted soon.
Lack of Path Canonicalization in Filebrowser App (CVE-2018–12298)
This device runs a containerized “filebrowser” application, which allows authenticated users to interact with assets stored within pre-configured share directories. During our study, we determined that this application is vulnerable to unauthenticated path traversal attacks. These attacks may be used to disclose the contents of arbitrary files within the container including, but not limited to, application source code, configuration files with sensitive keys, and user data. Additionally, this vulnerability may be used to disclose the non-containerized primary application’s source, as these files are included in the container.
Retrieve primary application source
An attacker may retrieve the primary application’s sources via the following steps:
- Determine a target file. This may be achieved by guessing paths or by using error messages. For this example, we will use a file from the main application at
/usr/lib/unicorn/run.py. - Issue a GET request to
/apps/filebrowser/../../../usr/lib/unicorn/run.py. The target file will be returned. - Optionally, use the import statements to locate other portions of the application’s sources.
Failure to Sanitize User Input in SQL Statements (CVE-2018–12295)
This device includes “Seagate Media Service”, which allows users to connect to the device via the “Seagate Media App”. During our study, we determined that this application uses dynamic SQL queries and fails to sanitize user input. As a result, this application is vulnerable to SQL injection attacks. The parameter dirId at endpoint /folderViewSpecific.psp was used to confirm this issue, but other vulnerable endpoints and parameters may exist.
SQL injection
An attacker may execute SQL injection attacks via the following steps:
- Locate a vulnerable injection point. Due to this application lacking any form of authentication, this may be achieved by simply browsing the application and testing endpoints. For this example, we will use the
dirIdparameter at/folderViewSpecific.psp. - Inject malicious SQL payloads into the request. Tools such as sqlmap may be used to automate this process. The payload shown below was used during our research.
/folderViewSpecific.psp?type=PHOTO&dirId=0'+UNION+ALL+SELECT+NULL,NULL,’qjzkq’||’RtKnWIwITSSIccNtIhFieqgBnQjKUmzkSYSnrDGS’||’qzzbq’,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL — +-&start=0&count=100&ordered=ASC&orderby=name&url=/static/Data/- Once a successful injection point has been located, arbitrary SQL statements may be executed.
Insufficient Validation and Sanitization on User Supplied File Names (CVE-2018–12299)
Users of this Seagate device can upload files to personal shares and use the sharing links functionality to grant access to other users. During our study we determined that users with write access to a share can create files that contain valid HTML elements as their name. As a result, malicious users can upload files that contain an HTML element with an attribute that evaluates arbitrary JavaScript whenever the victim views the asset through the File Browser functionality in a web browser. When the attacker exploits this vulnerability they are able to hijack the user’s session as a result of the “Missing Cookie Hardening Flags” vulnerability we reported.
Cross-Site Scripting (XSS)
An attacker can follow the steps outlined below to exploit this vulnerability:
- Access the File Browser functionality of the targeted Seagate device. (This requires that the attacker access the device with either a stolen account, or with a low privileged account they are trying to promote.)
- Upload a file that contains an HTML element that has an attribute with malicious JavaScript as its name. (For our example we will be opening an
alert()box that contains the authenticated user’s session cookies)<img src=a onerror=alert(#CHANGEME)> - Send the targeted victim a link to view the malicious asset and wait for them to open the link in a browser that contains their current session tokens.
Insufficient Validation and Sanitization on User Supplied Directory Names (CVE-2018–12303)
Users of this Seagate device can create personal shares and use the sharing links functionality to grant access to other users. During our study we determined that users with write access to a share can create directories that contain valid HTML elements as their name. As a result, malicious users can create directories containing an HTML element that evaluates arbitrary JavaScript whenever the asset is viewed via the File Browser functionality in a web browser. When an attacker exploits this vulnerability, they are able to hijack a victim user’s session as a result of the “Missing Cookie Hardening Flags” vulnerability described later in this article.
Cross-Site Scripting (XSS)
An attacker can follow the steps outlined below to exploit this vulnerability:
- Access the File Browser functionality of the targeted Seagate device. This requires that the attacker access the device with either a stolen account, or with a low privileged account they are trying to promote.
- Create a directory that contains an HTML element that has an attribute with malicious JavaScript as it’s name. (For our example we will be opening an
alert()box that contains the authenticated user’s session cookies)<img src=a onerror=alert(#CHANGEME)> - Send the targeted victim a link to view an asset within the malicious directory and wait for them to open the link in a browser that contains their current session tokens.
Insufficient Validation and Sanitization on API Endpoints (CVE-2018–12297)
This Seagate device makes use of many versions of an API to process requests. During our study we determined that POST requests to any version of the API are vulnerable to cross-site scripting attacks where the attacker can inject HTML elements that contain malicious JavaScript into the DOM of the page. When the attacker exploits this vulnerability they are able to hijack the user’s session as a result of the “Missing Cookie Hardening Flags” vulnerability we reported.
Cross-Site Scripting (XSS)
An attacker can follow the steps outlined below to exploit this vulnerability:
- Craft and host an HTML form that issues a POST request to an API endpoint. (For our example we will be opening an
alert()box that contains the authenticated user’s session cookies. It will involve using/api/external/8.0/<payload>as the endpoint, where the the payload can be<img src=a onerror=alert(document.cookie)>. The attacker only needs to trick the user into issuing a request to the API that will force it to respond with the Unknown function<attack payload>error message. - Send the targeted victim a link to the page where the malicious HTML form is hosted.
- Wait for the victim to open the link in a browser that contains their current session tokens.
Arbitrary Redirect in echo-server.html (CVE-2018–12300)
There is an arbitrary redirect in /www/echo-server.html. As a result, an attacker can provide users of the Seagate device with a link that appears to be destined for their Seagate device, but actually redirects them to another origin.
Page Redirection
An attacker may exploit this vulnerability by coercing a user into clicking a link similar to the following:
http://10.42.0.15/echo-server.html?code=test&state=http://www.google.com#Upon navigating to this URL, the target user will be redirected to http://www.google.com/echo-server.html
Missing Cookie Hardening Flags (CVE-2018–12302)
While exploiting the numerous previously detailed XSS vulnerabilities, we also determined that cookies do not utilize the HTTPOnly flag. As a result, any information stored in these cookies may be retrieved during an XSS attack and potentially leveraged in further attacks.
Server Information Disclosure (CVE-2018–12296)
Unauthenticated users with network access to the device can query for information about the device using the curl request specified in the attack section. Below is the verbose disclosure we received when issuing an unauthenticated request.
{“infos”: {“__sub_version__”: 0, “__version__”: 7, “__type__”: “GeneralInfo”, “__properties__”: {“vendor_custom_id”: “”, “product”: “Personal Cloud”, “vendor_id”: “”, “product_id”: “cumulus”, “install_id”: “ea815ad2b996fb63cf40024cd38d35a63d5e3fe055”, “hardware_id”: “n090103”, “friendly_name”: “Bork2”, “puid”: “001075587E78”, “version”: “4.3.15.1”, “serial_number”: “NZ323M00”, “vendor_name”: “Seagate”}}}Information Disclosure
curl -i -s -k -X $’POST’ \
-H $’Host: 10.42.0.15' -H $’User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0' -H $’Accept: text/html’ -H $’Accept-Language: en-US,en;q=0.5' -H $’Accept-Encoding: gzip, deflate’ -H $’Referer: http://10.42.0.15/' -H $’Language-Code: en’ -H $’Content-Length: 2' -H $’Content-Type: text/html; charset=UTF-8' -H $’Connection: close’ \
— data-binary $’{}’ \
$'http://10.42.0.15/api/external/7.0/system.System.get_infos'Missing Output Sanitization in App Manager (CVE-2018–12304)
Applications written for NAS OS can be installed via the Application Manager. They may come from Seagate’s application store, or uploaded manually. Applications developed for the Seagate NAS OS using Seagate’s official NAS OS SDK have several fields that are used to provide information about the application. This data is seen in the App Manager. The fields available for developers include:
- Application Name
- Short Description
- Long Description
- Change Log
- Keywords
- Publisher Name
- Publisher Contact
- Publication Date
- Website URL
- Privacy URL
- Disclaimer
Persistent Cross-site Scripting
By inserting <img src=a onerror=alert(1)> into these fields, an attacker can cause malicious JavaScript to execute.
The following fields are vulnerable and the method of triggering the payload is listed beside them:
- Short Description — hover over app in App Manager
- Publisher Name — Open app details
- Publisher Contact — Open app details
- Website URL— Open app details
Download Manager Allows Using localhost and 127.0.0.1 (CVE-2018–12301)
NAS OS’s Download Manager application allows the downloading of files from a .torrent file or via a URL.
By specifying a URL similar to: http://localhost/ or http://127.0.0.1, an attacker can download files from ports ordinarily available only on the loopback device to a user accessible public share.
Use of Insecure Random Number Generator to Generate Password Reset Tokens
Seagate makes use of python’s random class to generate password reset tokens that are emailed to users. Python’s random class uses the Mersenne Twister to generate random numbers, which has been proven to be unsuited for security critical needs even when the output is truncated.
Guess Password Reset Tokens
Due to time constraints we were unable to produce an exploit that leverages the use of insecure random number generation discussed in this issue. However, the methodology behind the attack is covered in George Argyros’s paper “I Forgot Your Password: Randomness Attacks Against PHP Applications” where he dicusses the process of recovering the state of the Mersenne Twister for PHP applications. Although the paper discusses the attack for PHP, the same idea applies to Python’s implementation of the Mersenne Twister.
Responsible Disclosure Timeline
- April 30, 2018: Contacted Seagate.
- April 30, 2018: Response from Seagate, they are reviewing our submission.
- May 14, 2018 Check in with Seagate. No response.
- June 18, 2018: Check in with Seagate, send them the CVE numbers that were provided to us by MITRE. No response.
Ian Sindermann, Associate Security Analyst at Independent Security Evaluators
Twitters: @ISESecurity @extantbogon
