-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-049
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the QNAP. The user needs sufficient permissions to either
create or rename directories.
2. When creating a folder, the QTS web interface runs some checks on the
new name of the created folder. Those checks are only performed with
JavaScript in the browser. If folder-creation or renaming is performed
with a direct request to the QNAP, no string-validation is done.

$ curl --data
'dest_path=%2F[validDirectory]&dest_folder=<img+src=foo+onError=alert(document.cookie)>&sid=[validsid]'
http://[ip]:8080/cgi-bin/filemanager/utilRequest.cgi?func=createdir
3. Open the newly created directory in the file 'File Station'
component. The name of the directory will be displayed without prior
sanitation or encoding, thus executing the provided script.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
    http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-049
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-049.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/
    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVkAAoJENEtJqSRgP2yU2IH/jfUaEPw5Dql7OvXyceQeYrZ
+XHLGfeOecVbxQi2SjKxRMYRxS1mYDF975Lqfc9/PaKUsgZMk1NRWEYDFyB29AQO
HQQ0s9boANfPaJUSxmF9+DE/CIkh1PI/Zw6s8ox+WtvvLnutWbfll6ERD9xB0MCu
wn9QqseR8Jveg4lF/dHRqzdmBZnCSFJp/INLLs4i5DQsvjSCo/hnWTclyU+gh1jD
xIsUb9xoxE4XgeFfOz8O5SPeULkNupCbn6NHRyjWs1fZXBR0et9ThwQw8fHhjIq8
S3dcX2MEcs/7j2G4tqOLq6e/HIoZ3Nt/1uL8dZ64bLoKS4dXKPwtBmDDV+629R4=
=oJRw
-----END PGP SIGNATURE-----