A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Friday, 16 October 2015

Security Advisory: Buffalo NAS Authentication Bypass

Security Advisory
Buffalo LinkStation/TeraStation Authentication Bypass 

Manufacturer: Buffalo Technology - http://www.buffalotech.com
Affected Products: LinkStation/Terastation NAS Devices
Affected Firmware: Seen in 1.69 and below 
Fixed Firmware: 1.71
Risk: Critical data loss/access to sensitive information
Vendor Status: Firmware Update Released

General Information
During a client penetration test, SecQuest consultants found that it was possible to bypass authentication on Buffalo NAS devices by modifying the response to the login request.

This allows full access at administrator level giving complete control of the device. Using the admin interface it is possible to add a new user and open the device up for remote file sharing via Buffalo's "webaccess" functionality.

This would give access to all data contained on the device. A malicious attacker could alternatively format the storage or delete RAID arrays potentially resulting in data loss.

Vulnerability
The response from a POST request to /dynamic.pl can be modified in a proxy to allow access using ANY username and password by changing the "success" and "pagemode" parameters as follows:

Original response
 {"success":false,"errors":[],"data":[{"sid":"###","pageMode":2}]}

Modified response
 {"success":true,"errors":[],"data":[{"sid":"###","pageMode":0}]}

Vulnerability confirmed in firmware versions 1.10, 1.15, 1.34, 1.41, 1.50, 1.52, 1.56, 1.59, 1.60, 1.63, 1.64, 1.65, 1.66, 1.68, 1.69

Credits 
Discovered by Darren Fuller (darren [at] secquest.co.uk)

Independently discovered by Red Team Pentesting -> Link

History
16-Oct-2015 Exploit is in the wild, blog post published
07-Jul-2015 Vendor has no update from engineering team
25-Jun-2015 Update requested from vendor
06-Mar-2015 Vendor is liasing with engineering team in Japan
04-Mar-2015 Update requested from vendor
22-Jan-2015 Technical team confirms vulnerability, fix being created
19-Jan-2015 Update requested from vendor
05-Jan-2015 Update requested from vendor
23-Dec-2014 Vulnerability information passed on to vendor
16-Dec-2014 Alternate contact at vendor requested
16-Dec-2014 Vendor response, case reference ID: 0-80368
15-Dec-2014 Vendor contacted via web support form

3 comments:

  1. I just retired our old DC (Server 2003 R2 Standard x86) and replaced it with a new Server 2012 R2 Standard x64, but now I have problems accessing our Buffalo-NAS. I can access it via hostname, but not via it's PureVPN IP-Address

    ReplyDelete
  2. Best solution to protect your information is to keep it in the VDR systems. Data room services can protect your documents from hacking and it's very easy in using.

    ReplyDelete
  3. Responsive reasons incorporate expanding your level of security as aftereffect of: being an immediate or circuitous casualty of a wrongdoing, including violations executed against an individual from your family unit, family or companions; critical changes to individual status, for example, a considerable increment in your riches or position; or damage to yourself or others; or as an outcome of sick wellbeing. Fast Guard Service

    ReplyDelete