Seagate NAS OS 4.3.15.1 SQL Injection Vulnerability

Summary

SQL injection in folderViewSpecific.psp in Seagate NAS OS version 4.3.15.1 allows attackers to execute arbitrary SQL commands via the dirId URL parameter.

Credit:

The information has been provided by Ian Sindermann.
The original article can be found at: https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170


Details

This device includes “Seagate Media Service”, which allows users to connect to the device via the “Seagate Media App”. During our study, we determined that this application uses dynamic SQL queries and fails to sanitize user input. As a result, this application is vulnerable to SQL injection attacks. The parameter dirId at endpoint /folderViewSpecific.psp was used to confirm this issue, but other vulnerable endpoints and parameters may exist. An attacker may execute SQL injection attacks via the following steps:
Locate a vulnerable injection point. Due to this application lacking any form of authentication, this may be achieved by simply browsing the application and testing endpoints. For this example, we will use the dirId parameter at /folderViewSpecific.psp.
Inject malicious SQL payloads into the request. Tools such as sqlmap may be used to automate this process. The payload shown below was used during our research.
/folderViewSpecific.psp?type=PHOTO&dirId=0’+UNION+ALL+SELECT+NULL,NULL,’qjzkq’
’RtKnWIwITSSIccNtIhFieqgBnQjKUmzkSYSnrDGS’
’qzzbq’,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL — +-&start=0&count=100&ordered=ASC&orderby=name&url=/static/Data/
Once a successful injection point has been located, arbitrary SQL statements may be executed.
Vulnerable Systems:

  • Seagate Nas Os 4.3.15.1

CVE Information:
CVE-2019-12295

Disclosure Timeline:
Publish Date:05/13/2019