Tuesday, March 3, 2015 - 00:30

RCE vulnerability in Seagate's Business Storage NAS

There is a remote code execution vulnerability in Seagate's Business NAS systems. Which - aside from that - appears to be a true masterpiece of software engineering.

Quite frankly I haven't seen this shit since the end of the last millennium. It's hilarious if you don't own one of them and I don't. The device is powered by vastly outdated software. Apparently it hasn't seen a real update for ages. So far a rather normal issue. But that's just the lever for this exploit. It's not the source. The source is a cookie and as I already mentioned I haven't seen that kind of session authentication for quite some time now. At least in a product that's targeting the business sector.

The product doesn't appear to do any session handling on the device at all. Everything relevant is stored in a cookie on the client. While this cookie is encrypted it's encrypted with a key that's the very same on every device. So even if you don't know the key you can elevate your access rights to admin access by using an authenticated session cookie from a completely different machine. Or in other words.

If you're admin on one machine you're admin on all of them.

That said the session encryption can easily be broken and with that everyone can become admin independent of whether he has access to a system with admin privileges or not. You can decrypt the cookie, modify it, and encrypt it again. 

Such a security model was awkward 15 years ago. It's disturbing to see something like that in 2015. Whoever came up with that idea clearly has a problematic relationship with security in general and authentication in particular. While this can be secure it has absolutely no margin for errors. It's simply bad design to let the client dictate whether a user has or has not certain access privileges.

The cookie can also be used for code inclusion. Together with a couple of long fixed foobars on the deployed software you can gain root access and execute code in root's context. Game Over.

If you're interested in the details the entire process is explained over at Beyond Binary. A rather entertaining and not too complicated read.