SQL Injection Vulnerabilities in Seagate Personal Cloud Media Server allow Retrieval of Private Data

The Seagate Media Server is a UPnp / DLNA Network Attached Storage mechanism incorporated into the Seagate Personal Cloud for individual level use. In an advisory on the IoT security bug hunt website Summer of Pwnage, several SQL injection vulnerabilities in the Seagate Media Server were discovered and discussed, risking the retrieval and modification of personal data stored in the database used by the media server.

The Seagate Personal Cloud is a cloud storage facility that is used to store photos, videos, and other kinds of multimedia in its media server. As personal data is uploaded into this cloud, it is protected with authorization checks and password security, but within its layout, a public folder exists to which unauthorized users have the right to upload data and files.

According to the advisory, this public folder facility can be abused by malicious attackers when they upload troublesome files and media to the folder in the cloud. These unauthorized attackers’ files can then behave the way they’ve been designed to, allowing for arbitrary data retrieval and modification in the media server’s database. Thankfully, the fact that the Seagate Media Server uses a separate SQLite3 database restricts the malicious activity of such attackers and the extent to which they can exploit this vulnerability.

A proof of concept is available along with the advisory which shows that the Django web framework used in the media server deals with .psp extensions. Any uploads that contain this extension are redirected immediately to the Seagate Media Server portion of the cloud through the FastCGI protocol. Manipulating the extensions and injecting malicious files into the media server through the public folder this way could allow attackers to run code to retrieve data from the server or minutely modify what’s already there.

These SQL injection vulnerabilities were found to affect firmware versions and of the Seagate Personal Cloud SRN21C. Although these were the only ones tested, the vendor does expect that other versions may be affected as well. To mitigate the risks posed, a new firmware version has been released for the Seagate Personal Cloud which closes the public folder and extension redirect mechanisms that allow for this kind of vulnerability.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.