-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-049 Product: QNAP QTS Manufacturer: QNAP Affected Version(s): 4.2.0 Build 20160311 and Build 20160601 Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812 Vulnerability Type: Persistent Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: unfixed Manufacturer Notification: 2016-06-03 Solution Date: tbd. Public Disclosure: 2016-08-18 CVE Reference: Not assigned Author of Advisory: Sebastian Nerz (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: QTS is the operating system used by manufacturer QNAP on its series of NAS devices (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found a persistent/stored cross-site scripting vulnerability in the file viewer component of the QTS administrative interface. This type of vulnerability allows an attacker to store active content like JavaScript on the system, executing the code in the browser of visitors viewing the affected page. The code can then be used to e.g. execute commands in the scope of the user, infect the users browser and so on. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the QNAP. The user needs sufficient permissions to either create or rename directories. 2. When creating a folder, the QTS web interface runs some checks on the new name of the created folder. Those checks are only performed with JavaScript in the browser. If folder-creation or renaming is performed with a direct request to the QNAP, no string-validation is done. $ curl --data 'dest_path=%2F[validDirectory]&dest_folder=<img+src=foo+onError=alert(document.cookie)>&sid=[validsid]' http://[ip]:8080/cgi-bin/filemanager/utilRequest.cgi?func=createdir 3. Open the newly created directory in the file 'File Station' component. The name of the directory will be displayed without prior sanitation or encoding, thus executing the provided script. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released any security update or patch so far. Administrators of QNAP QTS 4.2 installations should ensure that only trusted users/administrators have the neccessary permissions to create or rename directories. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-06-03: Vulnerability discovered and reported to manufacturer 2016-06-20: Vulnerability report confirmed by manufacturer 2016-07-06: Manufacturer asked for timeline regarding a fix 2016-07-18: Manufacturer reminded about upcoming public disclosure 2016-08-18: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for QNAP QTS http://www.qnap.com/qts/4.2/en/ [2] SySS Security Advisory SYSS-2016-049 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-049.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sebastian Nerz of the SySS GmbH. E-Mail: sebastian.nerz@xxxxxxx Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc Key ID: 0x9180FDB2 Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJXtWVkAAoJENEtJqSRgP2yU2IH/jfUaEPw5Dql7OvXyceQeYrZ +XHLGfeOecVbxQi2SjKxRMYRxS1mYDF975Lqfc9/PaKUsgZMk1NRWEYDFyB29AQO HQQ0s9boANfPaJUSxmF9+DE/CIkh1PI/Zw6s8ox+WtvvLnutWbfll6ERD9xB0MCu wn9QqseR8Jveg4lF/dHRqzdmBZnCSFJp/INLLs4i5DQsvjSCo/hnWTclyU+gh1jD xIsUb9xoxE4XgeFfOz8O5SPeULkNupCbn6NHRyjWs1fZXBR0et9ThwQw8fHhjIq8 S3dcX2MEcs/7j2G4tqOLq6e/HIoZ3Nt/1uL8dZ64bLoKS4dXKPwtBmDDV+629R4= =oJRw -----END PGP SIGNATURE-----