Exploiting Remote Command Execution Vulnerability in EasyNAS
Exploiting the vulnerability and gaining root privileges (CVE-2023–0830)
Introduction:
Recently, I discovered a vulnerability which was in a backup and restore script used in EasyNAS, a popular open-source network-attached storage (NAS) solution. The CVE-2023–0830 is published on https://vuldb.com/?id.220950 . The vulnerability, which allows for arbitrary command execution with root privileges, can be exploited by an attacker to delete important system files, modify or steal sensitive data, or even gain unauthorized access to the system. In this blog post, I will show how an attacker can exploit this vulnerability by crafting a malicious GET request to the WebUI of the EasyNAS system, I will show the vulnerable script code and how to mitigate the issue.
Details of the Vulnerability:
The vulnerability is present in the backup and restore script, which is used to create and restore backups of the EasyNAS system. The script is written in Perl and is executed through the web interface of the EasyNAS system. The vulnerability lies in the use of the system function to execute a command with user-supplied input. The following is the vulnerable script code:
$rc=system("/usr/bin/sudo /usr/bin/tar cvf $mount_dir/$vol/$file @config_files > /dev/null" );As seen in the code above, the script is using the system function to execute the command:
/usr/bin/sudo /usr/bin/tar cvf $mount_dir/$vol/$file @config_files > /dev/nullThis command creates a backup of certain system files and stores it in the $mount_dir/$vol directory. The problem is that the $file variable and the $vol variable are being passed in as user-supplied input, without proper validation or sanitization. An attacker can craft a malicious GET request to the WebUI of the EasyNAS system, injecting a malicious command into the “name” and “vol” parameters of the GET request.
For example, an attacker could use the following GET request:
/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cwhoami%7c%7ca+%23This request would execute the command “whoami” which would reveal the current user, this could lead to unauthorized access to the system or privilege escalation.
Mitigation:
The vulnerability can be mitigated by properly validating and sanitizing user input. One way to do this is using the Perl module CGI.pm’s built-in param method, which will remove any leading or trailing whitespace and control characters from the user input. Additionally, the use of regular expressions can be used to validate user input and ensure that it only contains allowed characters.
Another way to mitigate this vulnerability is to use the Perl module Taint.pm, which can be used to enable taint mode in the script. Taint mode ensures that all user-supplied input is “tainted”, which means that it is considered unsafe to use in the system.
Conclusion:
This vulnerability in the backup and restore script for EasyNAS is a serious issue that can potentially lead to unauthorized access to the system. It is important to take the necessary steps to protect your EasyNAS systems and to be aware of this vulnerability. The vulnerability can be mitigated by properly validating and sanitizing user input, avoiding the use of “sudo” in scripts, and using the “su” command. This is a reminder that it is important to keep software updated and aware of vulnerabilities. Even open-source software, like EasyNAS, can have security issues. It is important to be aware of the potential risks and to take the necessary steps to protect your systems.
Hope you had a valuable read, See you next time.
Follow me on Twitter
