QNAP QTS 4.2.0 Build 20160311 / Build 20160601 Cross Site Scripting

2016-08-19T00:00:00
ID PACKETSTORM:138426
Type packetstorm
Reporter Sebastian Nerz
Modified 2016-08-19T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2016-049  
Product: QNAP QTS  
Manufacturer: QNAP  
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601  
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812  
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: unfixed  
Manufacturer Notification: 2016-06-03  
Solution Date: tbd.  
Public Disclosure: 2016-08-18  
CVE Reference: Not assigned  
Author of Advisory: Sebastian Nerz (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
QTS is the operating system used by manufacturer QNAP on its series of  
NAS devices (see [1]).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found a persistent/stored cross-site scripting  
vulnerability in the file viewer component of the QTS administrative  
interface.  
  
This type of vulnerability allows an attacker to store active content  
like JavaScript on the system, executing the code in the browser of  
visitors viewing the affected page. The code can then be used to e.g.  
execute commands in the scope of the user, infect the users browser and  
so on.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
1. Log in to the QNAP. The user needs sufficient permissions to either  
create or rename directories.  
2. When creating a folder, the QTS web interface runs some checks on the  
new name of the created folder. Those checks are only performed with  
JavaScript in the browser. If folder-creation or renaming is performed  
with a direct request to the QNAP, no string-validation is done.  
  
$ curl --data  
'dest_path=%2F[validDirectory]&dest_folder=<img+src=foo+onError=alert(document.cookie)>&sid=[validsid]'  
http://[ip]:8080/cgi-bin/filemanager/utilRequest.cgi?func=createdir  
3. Open the newly created directory in the file 'File Station'  
component. The name of the directory will be displayed without prior  
sanitation or encoding, thus executing the provided script.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer has not released any security update or patch so far.  
Administrators of QNAP QTS 4.2 installations should ensure that only   
trusted users/administrators have the neccessary permissions to create   
or rename directories.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-06-03: Vulnerability discovered and reported to manufacturer  
2016-06-20: Vulnerability report confirmed by manufacturer  
2016-07-06: Manufacturer asked for timeline regarding a fix  
2016-07-18: Manufacturer reminded about upcoming public disclosure  
2016-08-18: Public disclosure  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for QNAP QTS  
http://www.qnap.com/qts/4.2/en/  
[2] SySS Security Advisory SYSS-2016-049  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-049.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
Security vulnerability found by Sebastian Nerz of the SySS GmbH.  
  
E-Mail: sebastian.nerz@syss.de  
Public Key:  
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc  
Key ID: 0x9180FDB2  
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQEcBAEBCgAGBQJXtWVkAAoJENEtJqSRgP2yU2IH/jfUaEPw5Dql7OvXyceQeYrZ  
+XHLGfeOecVbxQi2SjKxRMYRxS1mYDF975Lqfc9/PaKUsgZMk1NRWEYDFyB29AQO  
HQQ0s9boANfPaJUSxmF9+DE/CIkh1PI/Zw6s8ox+WtvvLnutWbfll6ERD9xB0MCu  
wn9QqseR8Jveg4lF/dHRqzdmBZnCSFJp/INLLs4i5DQsvjSCo/hnWTclyU+gh1jD  
xIsUb9xoxE4XgeFfOz8O5SPeULkNupCbn6NHRyjWs1fZXBR0et9ThwQw8fHhjIq8  
S3dcX2MEcs/7j2G4tqOLq6e/HIoZ3Nt/1uL8dZ64bLoKS4dXKPwtBmDDV+629R4=  
=oJRw  
-----END PGP SIGNATURE-----  
`