N5200Pro remote exploit

kirth New Member Posts: 23	N5200Pro remote exploit Feb 25, 2008 2:46:47 GMT 7 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by kirth on Feb 25, 2008 2:46:47 GMT 7 Just to let you know a few days ago an exploit for the N5200Pro has gone "public". It's a Remote File Inclusion. Here it is: www.milw0rm.com/ Exploit id is 5150. Thecus N5200Pro NAS Server Control Panel RFI Vulnerability

danielz New Member Posts: 3	N5200Pro remote exploit Feb 26, 2008 16:14:30 GMT 7 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by danielz on Feb 26, 2008 16:14:30 GMT 7 The Expolit are fixed in version 2.00.04 (http://www.thecus.eu/en/89/) //Daniel

fajo
Full Member

Posts: 143

N5200Pro remote exploit Feb 26, 2008 17:06:47 GMT 7

Quote

Post by fajo on Feb 26, 2008 17:06:47 GMT 7

The release notes refer to other (more critical) vulnerabilities - the remote file inclusion should still be possible in 2.00.04 as long as allow_url_fopen is enabled (the default) in /etc/httpd/conf/php.ini.

If the SSHD module is installed you may disable this PHP feature and the exploit will no longer show any effect.

/Falk

Last Edit: Feb 26, 2008 17:08:01 GMT 7 by fajo

marty Full Member Posts: 112	N5200Pro remote exploit Feb 27, 2008 12:22:13 GMT 7 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by marty on Feb 27, 2008 12:22:13 GMT 7 Hi, What kind of security vulnerability are we at risk? Could you give us an example? Thanks Marty

fajo
Full Member

Posts: 143

N5200Pro remote exploit Feb 27, 2008 14:36:19 GMT 7

Quote

Post by fajo on Feb 27, 2008 14:36:19 GMT 7

Feb 27, 2008 12:22:13 GMT 7 marty said:

What kind of security vulnerability are we at risk

see forums.hexus.net/thecus-care-hexus/126527-thecus-n5200-2-00-04-vulnerabilities.html

Feb 27, 2008 12:22:13 GMT 7 marty said:

Could you give us an example?

No, I will not post any details/exploits - Thecus is aware of these issues and will (hopefully soon) provide fixes.

Anyway, I would recommend to not make the NAS WebUI accessible from insecure networks (such as the internet).

/Falk

fajo
Full Member

Posts: 143

N5200Pro remote exploit Jan 8, 2009 5:32:59 GMT 7

Quote

Post by fajo on Jan 8, 2009 5:32:59 GMT 7

I made a update available for download that will set allow_url_fopen to off in php.ini. To download the the update and MD5 checksum follow the links below:

www.fajo.de/thecus/N5200_N5200pro_1U4500_N7700_N8800_FIX_KKM-79873.bin
www.fajo.de/thecus/N5200_N5200pro_1U4500_N7700_N8800_FIX_KKM-79873.bin.md5

The update has been tested on 'N5200pro' and can be applied on the following models running ANY FW version (the update reports version 99.99.99):

N5200
N5200pro
1U4500
N7700
N8800

The update process will report 'success' if either of the following applies:

allow_url_fopen was not set to on
php.ini modified successfully

An 'error' is reported if either of the following applies:

php.ini was not found
the process was not able to update php.ini

After applying the update a reboot is required so httpd gets restarted.

/Falk

gideon007 Full Member Posts: 157	N5200Pro remote exploit Jan 10, 2009 0:22:36 GMT 7 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by gideon007 on Jan 10, 2009 0:22:36 GMT 7 Is this to be applied like a module or like a firmware update? Thanks for bothering with this.

peterfu God Posts: 900	N5200Pro remote exploit Jan 10, 2009 1:52:45 GMT 7 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by peterfu on Jan 10, 2009 1:52:45 GMT 7 As FW Upgrade br Peter

Post by kirth on Feb 25, 2008 2:46:47 GMT 7

Post by danielz on Feb 26, 2008 16:14:30 GMT 7

Post by fajo on Feb 26, 2008 17:06:47 GMT 7

Post by marty on Feb 27, 2008 12:22:13 GMT 7

Post by fajo on Feb 27, 2008 14:36:19 GMT 7

Post by fajo on Jan 8, 2009 5:32:59 GMT 7

Post by gideon007 on Jan 10, 2009 0:22:36 GMT 7

Post by peterfu on Jan 10, 2009 1:52:45 GMT 7