The Seagate Media Server is a UPnp / DLNA Network Attached Storage mechanism incorporated into the Seagate Personal Cloud for individual level use. In an advisory on the IoT security bug hunt website Summer of Pwnage, several SQL injection vulnerabilities in the Seagate Media Server were discovered and discussed, risking the retrieval and modification of personal data stored in the database used by the media server.
The Seagate Personal Cloud is a cloud storage facility that is used to store photos, videos, and other kinds of multimedia in its media server. As personal data is uploaded into this cloud, it is protected with authorization checks and password security, but within its layout, a public folder exists to which unauthorized users have the right to upload data and files.
According to the advisory, this public folder facility can be abused by malicious attackers when they upload troublesome files and media to the folder in the cloud. These unauthorized attackers’ files can then behave the way they’ve been designed to, allowing for arbitrary data retrieval and modification in the media server’s database. Thankfully, the fact that the Seagate Media Server uses a separate SQLite3 database restricts the malicious activity of such attackers and the extent to which they can exploit this vulnerability.
A proof of concept is available along with the advisory which shows that the Django web framework used in the media server deals with .psp extensions. Any uploads that contain this extension are redirected immediately to the Seagate Media Server portion of the cloud through the FastCGI protocol. Manipulating the extensions and injecting malicious files into the media server through the public folder this way could allow attackers to run code to retrieve data from the server or minutely modify what’s already there.
These SQL injection vulnerabilities were found to affect firmware versions 18.104.22.168 and 22.214.171.124 of the Seagate Personal Cloud SRN21C. Although these were the only ones tested, the vendor does expect that other versions may be affected as well. To mitigate the risks posed, a new firmware version 126.96.36.199 has been released for the Seagate Personal Cloud which closes the public folder and extension redirect mechanisms that allow for this kind of vulnerability.