NAS4Free Unauthenticated Command Injection

by Matthew Lowe

Summary

This advisory presents a major vulnerability in NAS4Free that allows arbitrary shell command injection as root from an unauthenticated user.

Details

The NAS4Free admin web page allows for arbitrary command injection by an unauthenticated user. The Username field is susceptible to command injection by using the backtick operator (`).

It is recommended that you update to a version greater than 9.1.0.1.775

Proof of Concept: Exploitation Example

  • Connect to the admin interface via http or https
  • In the Username field enter: echo "vulnerable" > /root/data
  • Access the server via ssh or the console and enter: cat /root/data

Timeline

  • 6/12/13: Discovered vulnerability while testing on a local VM
  • 6/12/13: Contacted project maintainer.
  • 6/16/13: Emailed project leads about the issue.
  • 6/16/13: Project leader responded with a commitment to fix and timeline.
  • 6/23/13: Fix posted to NAS4Free site