Sense of Security – Security Advisory – SOS-12-006 – QNAP Turbo NAS Multiple Vulnerabilities

Sense of Security – Security Advisory – SOS-12-006

Details.

QNAP provide NAS technology solutions to consumers and enterprises.

Multiple vulnerabilities have been identified in the web management

interface.

1. Command Injection:

The QNAP Download Station (QDownload) is vulnerable to command injection

as the application executes user-controllable data that is processed by

a shell command interpreter.

The following resources, accessible post authentication are affected:

/cgi-bin/Qdownload/DS_RSS_Option.cgi [keyword parameter]

/cgi-bin/Qdownload/DS_RSS_Option.cgi [title parameter]

Commands are executed with the context of the admin user [uid=0(admin)

gid=0(administrators] on the QNAP device.

Proof of Concept.

/cgi-bin/Qdownload/DS_RSS_Option.cgi?_dc=1331164660690&url=http:/%2

Fgoogle.com&title=test&keyword=`touch /testo.

txt`&todo=add&sid=i9nonapr&ver=2.0
2. Cryptography:

The QNAP login page stores persistent cookies (including the administrator

username and password) as base64 encoded strings inside the cookie

parameter nas_p. These cookies are not protected with either the HTTPOnly

or Secure flags allowing theft via one of the many cross-site scripting

vulnerabilities which exist within the application (disclosed previously

by another researcher, but never fixed).

Proof of Concept.

Cookie: qnap_admin_style=default; nas_save_u=1; nas_u=bGFicw==;

nas_address=10.1.1.2; nas_save_p=1; nas_p= YWRtaW5UMG1iJTI0dDBuMw==;

nas_tree_x=240; nas_tree_y=370

YWRtaW5UMG1iJTI0dDBuMw== decodes to admin123qweasd

Solution.

No vendor solution.

Discovered by.

Nadeem Salim and Phil Taylor from Sense of Security Labs.