Security researcher Benjamin Daniel Mussler has unearthed an XSS flaw affecting seven D-Link NAS devices – a flaw which could allow attackers to access the devices and peruse and change the stored contents.
He first found it in the firmware of D-Link DNS-320 rev A, a Network Storage Enclosure that allows users to access stored data via SMB and can be configured through a web interface.
“The device’s administrative web interface contains a Stored Cross-Site Scripting vulnerability, exploitable through an unauthenticated SMB login attempt (445/tcp). The injected code is executed when the victim logs into the administrative web interface,” he explained.
“Unlike reflected XSS vulnerabilities, it does not require the victim to open an attacker-supplied link or to visit a malicious web page. This is one of the relatively few XSS vulnerabilities where malicious code can be injected despite having neither direct nor indirect access to the vulnerable web application. As such, it can be exploited even when access to ports 80/tcp (HTTP) and 443/tcp (HTTPS) is denied.”
And, he pointed out, “due to the nature of the vulnerability, it would be trivial to automate the injection of malicious code into a number of vulnerable devices.”
After getting in touch with D-Link, the company confirmed that the same vulnerability exists in six other NAS models: DNS-320 rev B, DNS-320L, DNS-325, DNS-327L, DNS-340L, and DNS-345.
When Mussler publicly released information about the flaw at the beginning of August, there were no indication that the flaw was being exploited in the wild. But, since he also published PoC code at the time, it is possible that someone has started exploiting in the meantime.
Ransomware authors might implement it to maximize the reach of the malware.
“NAS devices are often used to store backups of data the user considers important enough to keep a copy of. The vulnerability described in this advisory enables ransomware to have data deleted from a NAS device the next time the victim logs into the administrative web interface,” he noted.
That’s one reason why, even for devices for which a firmware update solving the problem has been made available, users should be careful when applying it.
“If D-Link addresses the vulnerability with a firmware update, its installation will require users to log into the vulnerable web interface. However, if an attacker has already managed to store malicious code inside the web interface, logging in to install the update may cause this code to be executed,” Mussler pointed out, and offered advice on the precautions to take to minimize the risk to the stored data.