The shutdown webpage has no special X-Frame-Options set on it, allowing an attacker with the right knowledge to remotely disable the device through an iframe that an admin on the device loads.
I have demonstrated shutting down such a device remotely using STUN to locate the local IP address of the user and iterating on that IP address by requesting the Buffalo logo from these IP addresses. In the case where the user has recently accessed their NAS configuration panel, the logo loads instantly (from cache) and fires the onload event, which in turn triggers an iframe embed which shuts down the device.
Code: https://gist.github.com/
In short, the above code will scan for and remotely shutdown all vulnerable Buffalo NAS-s the viewer is authorized to configure in their local network.
Zemnmez
Thanks to Nathaniel "XMPPWocky" Theis for helping me streamline this exploit.
Komentarų nėra:
Rašyti komentarą