A few months back while evaluating NETGEAR’s ReadyNAS for IP360 coverage, I found that critical flaws allow complete root access from a single, unauthenticated HTTP request. See the advisory here.
Based on analysis of SHODAN data, there are over 10,000 ReadyNAS with HTTP or HTTPS directly accessible from the public Internet. The following video is from a live demonstration we produced on October 29th:
The proof-of-concept exploit code I authored can use this information to exploit vulnerable ReadyNAS with crafted HTTP requests. By using the proper payload I have demonstrated that the ReadyNAS will launch a reverse TCP root shell. To state it in less technical terms, I found that opening a web page with a very purposefully chosen name will cause the ReadyNAS to offer full access to a computer specified by the attacker.
The command injection vulnerability was tracked as CVE-2013-2751 and CVE-2013-2752 was assigned for the request forgery aspect. These issues along with numerous others were responsibly disclosed to NETGEAR starting in November 2012.
In July, NETGEAR released RAIDiator firmware 4.2.24 and 4.1.12 which I was advised ‘closes many of the issues’ I reported. The only mention of security concerns were in the firmware release notes. There’s just one line: ‘Updated Frontview to fix security issues.’ Without knowledge of the specific vulnerabilities, customers feel no sense of urgency about installing the update.
- Vulnerability: Who is Watching Your IP Camera?
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- Defcon Sneak Peek: How Risky is Google Apps for Your Business?
- Why Cross-Site Scripting Always Matters
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock