Vulnerabilities > CVE-2014-8684 - Cryptographic Issues vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
codeigniter
kohanaframework
CWE-310
metasploit

Summary

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Metasploit

descriptionSome Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device.
idMSF:EXPLOIT/LINUX/HTTP/SEAGATE_NAS_PHP_EXEC_NOAUTH
last seen2020-06-10
modified2017-07-24
published2015-03-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb
titleSeagate Business NAS Unauthenticated Remote Command Execution

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/130609/seagate_nas_php_exec_noauth.rb.txt
idPACKETSTORM:130609
last seen2016-12-05
published2015-03-02
reporterOJ Reeves
sourcehttps://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
titleSeagate Business NAS Unauthenticated Remote Command Execution