CVE-2014-8686
published 2017-09-19CVE-2014-8686: CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.22%
98.3th percentile
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeigniter | codeigniter | <= 2.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by looking for HTTP requests to the login page carrying a 'ci_session' cookie whose decoded (base64 + XOR) PHP object contains a 'language' key with path-traversal sequences (e.g., '../') or a null-byte. ↗
- →Flag HTTP responses containing both 'X-Powered-By: PHP/5.2.13' and 'Server: lighttpd/1.4.28' headers alongside a body containing 'Login to BlackArmor' as indicators of a vulnerable Seagate Business NAS target. ↗
- →Alert on GET requests to short randomly-named PHP files (matching pattern _[a-zA-Z0-9]{3}.php) at the web root of the NAS, which correspond to the dropped payload file. ↗
- →Detect POST requests to /index.php/mv_system/set_general_setup containing a 'general_setup' parameter with embedded PHP code (e.g., file_put_contents or base64_decode), indicating the stager upload step. ↗
- ·The static XOR key is a hardcoded default in the Seagate NAS firmware; the attack only works because the Mcrypt PHP extension is absent, forcing CodeIgniter to fall back to the weak XOR-based encryption scheme. ↗
- ·The exploit has been confirmed only against the Seagate STBN300 device; other Seagate Business NAS models may differ in firmware layout. ↗
- ·No authentication is required; the entire attack chain (cookie forgery, config manipulation, payload drop, and execution) is performed as an unauthenticated user via the login page. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Seagate Business NAS - Remote Command Execution (Metasploit)
exploitdb·2015-03-04
CVE-2014-8686 Seagate Business NAS - Remote Command Execution (Metasploit)
Seagate Business NAS - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class MetasploitModule 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypte
Metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
Seagate Business NAS Unauthenticated Remote Command Execution
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttps://beyondbinary.io/articles/seagate-nas-rce/https://codeigniter.com/userguide2/changelog.htmlhttps://www.dionach.com/blog/codeigniter-session-decoding-vulnerabilityhttp://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttps://beyondbinary.io/articles/seagate-nas-rce/https://codeigniter.com/userguide2/changelog.htmlhttps://www.dionach.com/blog/codeigniter-session-decoding-vulnerability
2017-09-19
Published