Exploiting the vulnerability and gaining root privileges (CVE-2023-0830)

Introduction

Recently, I discovered a vulnerability which was in a backup and restore script used in EasyNAS, a popular open-source network-attached storage (NAS) solution. The CVE-2023-0830 is published on https://vuldb.com/?id.220950. The vulnerability, which allows for arbitrary command execution with root privileges, can be exploited by an attacker to delete important system files, modify or steal sensitive data, or even gain unauthorized access to the system.

In this blog post, I will show how an attacker can exploit this vulnerability by crafting a malicious GET request to the WebUI of the EasyNAS system, I will show the vulnerable script code and how to mitigate the issue.

Details of the Vulnerability

The vulnerability is present in the backup and restore script, which is used to create and restore backups of the EasyNAS system. The script is written in Perl and is executed through the web interface of the EasyNAS system. The vulnerability lies in the use of the system function to execute a command with user-supplied input. The following is the vulnerable script code:

$rc=system("/usr/bin/sudo /usr/bin/tar cvf $mount_dir/$vol/$file @config_files > /dev/null" );

As seen in the code above, the script is using the system function to execute the command:

/usr/bin/sudo /usr/bin/tar cvf $mount_dir/$vol/$file @config_files > /dev/null

This command creates a backup of certain system files and stores it in the $mount_dir/$vol directory. The problem is that the $file variable and the $vol variable are being passed in as user-supplied input, without proper validation or sanitization. An attacker can craft a malicious GET request to the WebUI of the EasyNAS system, injecting a malicious command into the "name" and "vol" parameters of the GET request.

For example, an attacker could use the following GET request:

/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cwhoami%7c%7ca+%23

This request would execute the command "whoami" which would reveal the current user, this could lead to unauthorized access to the system or privilege escalation.

Exploitation Process

Let me walk through the exact exploitation process step by step:

1. First, I identified that the EasyNAS backup script accepts user input for filename and volume parameters without proper sanitization
2. By analyzing the source code, I noticed that these parameters are directly passed to a system command
3. I crafted a specially formatted GET request with command injection payload in the name parameter
4. The payload contained properly URL-encoded command separators (|) and comment characters (#) to execute arbitrary commands
5. When this request was sent to the backup script, it executed my command with root privileges due to the sudo usage

This exploit highlights a classic case of command injection vulnerability, where user-controlled input is directly incorporated into system commands without proper escaping or validation.

Mitigation

The vulnerability can be mitigated by properly validating and sanitizing user input. One way to do this is using the Perl module CGI.pm's built-in param method, which will remove any leading or trailing whitespace and control characters from the user input. Additionally, the use of regular expressions can be used to validate user input and ensure that it only contains allowed characters.

Another way to mitigate this vulnerability is to use the Perl module Taint.pm, which can be used to enable taint mode in the script. Taint mode ensures that all user-supplied input is "tainted", which means that it is considered unsafe to use in the system.

Recommendations for fixing this vulnerability:

1. Implement strict input validation with a whitelist approach (only allow alphanumeric characters and specific symbols)
2. Use prepared statements or parameterized APIs where possible
3. Avoid using sudo in scripts, especially for web applications
4. Implement proper privilege separation, running the web interface with minimal permissions
5. Consider using the perl use strict and use warnings directives to catch potential issues
6. Apply the principle of least privilege throughout the application

Conclusion

This vulnerability in the backup and restore script for EasyNAS is a serious issue that can potentially lead to unauthorized access to the system. It is important to take the necessary steps to protect your EasyNAS systems and to be aware of this vulnerability.

The vulnerability can be mitigated by properly validating and sanitizing user input, avoiding the use of "sudo" in scripts, and using the "su" command. This is a reminder that it is important to keep software updated and aware of vulnerabilities. Even open-source software, like EasyNAS, can have security issues. It is important to be aware of the potential risks and to take the necessary steps to protect your systems.

References

• EasyNAS 1.1.0 — Authenticated OS Command Injection Exploit (github.com)
• CVE-2023-0830
• VulDB Entry 220950