CVE-2014-8687
published 2017-06-08CVE-2014-8687: Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.81%
98.6th percentile
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seagate | business_nas_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by inspecting the 'ci_session' cookie for a base64+XOR-encoded PHP serialized object containing a 'language' key with a null-byte path traversal sequence (e.g. '../../../etc/devicedesc\x00'), which is the LFI trigger for this CVE. ↗
- →Flag HTTP responses containing both 'X-Powered-By: PHP/5.2.13' and 'Server: lighttpd/1.4.28' headers alongside a body containing 'Login to BlackArmor' as indicators of a vulnerable Seagate Business NAS device. ↗
- →Alert on POST requests to '/index.php/mv_system/set_general_setup' containing a 'general_setup' parameter with XML-encoded PHP code (e.g. 'file_put_contents'), which is the stager upload step of the exploit. ↗
- →Monitor for GET requests to randomly named PHP files at the web root (matching pattern /_[a-zA-Z0-9]{3}\.php/) on Seagate NAS devices, which correspond to the dropped webshell payload file. ↗
- →Detect the static XOR key '0f0a000d02011f0248000d290d0b0b0e03010e07' in network traffic or tool configurations; its presence indicates use of the known Seagate NAS session forgery technique. ↗
- →Detect unauthenticated access to '/index.php/mv_system/get_general_setup' or '/index.php/mv_system/set_general_setup' endpoints, especially with a forged ci_session cookie setting 'is_admin' to 'yes'. ↗
- ·The static XOR key and cookie name ('ci_session') are hardcoded defaults in the exploit; defenders should not rely on cookie name changes alone as a mitigation since the key is universally the same across all affected devices. ↗
- ·The exploit is pre-authentication and targets the login page directly; network-level access controls blocking the web UI port are the primary mitigation until firmware 2015.00322 or later is applied. ↗
- ·The webshell filename is randomized per exploitation run (UUID or random alphanumeric prefix), so file-based detection must use pattern matching rather than a fixed filename. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Seagate Business NAS - Remote Command Execution (Metasploit)
exploitdb·2015-03-04
CVE-2014-8686 Seagate Business NAS - Remote Command Execution (Metasploit)
Seagate Business NAS - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class MetasploitModule 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypte
Exploit-DB
Seagate Business NAS 2014.00319 - Remote Code Execution
exploitdb·2015-03-01
CVE-2014-8687 Seagate Business NAS 2014.00319 - Remote Code Execution
Seagate Business NAS 2014.00319 - Remote Code Execution
---
#!/usr/bin/env python
#
# Seagape
# =======
# Seagate Business NAS pre-authentication remote code execution
# exploit as root user.
#
# by OJ Reeves (@TheColonial) - for full details please see
# https://beyondbinary.io/advisory/seagate-nas-rce/
#
# Usage
# =====
# seagape.py [-c [ua]]
#
# - ip : ip or host name of the target NAS
# - port : port of the admin web ui
# - -c : (optional) create a cookie which will give admin access.
# Not specifying this flag results in webshell installation.
# - ua : (optional) the user agent used by the browser for the
# admin session (UA must match the target browser).
# Default value is listed below
#
# Example
# =======
# Install and interact with the web shell:
# seagape.py 192.168.0.1 80
#
#
Metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
Seagate Business NAS Unauthenticated Remote Command Execution
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/130585/Seagate-Business-NAS-2014.00319-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/72831https://beyondbinary.io/articles/seagate-nas-rce/https://www.exploit-db.com/exploits/36202/https://www.exploit-db.com/exploits/36264/http://packetstormsecurity.com/files/130585/Seagate-Business-NAS-2014.00319-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/72831https://beyondbinary.io/articles/seagate-nas-rce/https://www.exploit-db.com/exploits/36202/https://www.exploit-db.com/exploits/36264/
2017-06-08
Published