A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Friday, 16 October 2015

Security Advisory: Buffalo NAS Authentication Bypass

Security Advisory
Buffalo LinkStation/TeraStation Authentication Bypass 

Manufacturer: Buffalo Technology - http://www.buffalotech.com
Affected Products: LinkStation/Terastation NAS Devices
Affected Firmware: Seen in 1.69 and below 
Fixed Firmware: 1.71
Risk: Critical data loss/access to sensitive information
Vendor Status: Firmware Update Released

General Information
During a client penetration test, SecQuest consultants found that it was possible to bypass authentication on Buffalo NAS devices by modifying the response to the login request.

This allows full access at administrator level giving complete control of the device. Using the admin interface it is possible to add a new user and open the device up for remote file sharing via Buffalo's "webaccess" functionality.

This would give access to all data contained on the device. A malicious attacker could alternatively format the storage or delete RAID arrays potentially resulting in data loss.

The response from a POST request to /dynamic.pl can be modified in a proxy to allow access using ANY username and password by changing the "success" and "pagemode" parameters as follows:

Original response

Modified response

Vulnerability confirmed in firmware versions 1.10, 1.15, 1.34, 1.41, 1.50, 1.52, 1.56, 1.59, 1.60, 1.63, 1.64, 1.65, 1.66, 1.68, 1.69

Discovered by Darren Fuller (darren [at] secquest.co.uk)

Independently discovered by Red Team Pentesting -> Link

16-Oct-2015 Exploit is in the wild, blog post published
07-Jul-2015 Vendor has no update from engineering team
25-Jun-2015 Update requested from vendor
06-Mar-2015 Vendor is liasing with engineering team in Japan
04-Mar-2015 Update requested from vendor
22-Jan-2015 Technical team confirms vulnerability, fix being created
19-Jan-2015 Update requested from vendor
05-Jan-2015 Update requested from vendor
23-Dec-2014 Vulnerability information passed on to vendor
16-Dec-2014 Alternate contact at vendor requested
16-Dec-2014 Vendor response, case reference ID: 0-80368
15-Dec-2014 Vendor contacted via web support form


  1. This comment has been removed by a blog administrator.

  2. Littler data recovery benefits basically don't have the right stuff, preparing, offices and parts to effectively recoup most plate drives. UK data recovery

  3. It turns out that the databases that we're https://www.dbdesigner.net using today were not designed for what we are asking them to do.

  4. Subsequently, just a hard circle of a similar clump and model can be utilized to guarantee that the data can be perused off the plate platters in a suitable manner. hard drive recovery data recovery services

  5. Thank you so much as you have been willing to share information with us. We will forever admire all you have done here because you have made my work as easy as ABC. Melbourne Integriti

  6. This gives you the alternative to choose for yourself whether you need to continue with the RAID information recovery reestablish administration or not. hard drive data recovery

  7. Security is is very important for us because through this, we can save our data from hackers and other persons and get rid of stealing information. Many people manage their security and they feel pleasure. You can security of assignment writing services because here your payment will be safe and secure.

  8. Wow, This is the best information about security here. I enjoyed reading this blog. Thanks once more for all the details.

  9. That's something technical and I have to learn it from the start. But it's looking so informative I will do it after exploring blue sea hotels promo code, I never want to miss these codes.


  10. I have read your blog post and that is really informative as well. My friend recommended your blog and trust me through reading such amazing updates we able to change buy problem buy smart home online solving gadgets our perception as well. Keep writing such amazing stuff always

  11. This is really an amazing blog I love it thanks for sharing this amazing kind of blog I really like assignment experts because I like their secondary data collection help that they provide to the online readers.

  12. Save up to 25 off ASOS discount code NHS sale and student vouchers and promo codes. Use our valid best 15% Off Asos NHS discount code and coupons! asos discount code nhs