lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201608181006.u7IA6ROL006328@sf01web2.securityfocus.com>
Date: Thu, 18 Aug 2016 10:06:27 GMT
From: bugtraq@...z.syss.de
To: bugtraq@...urityfocus.com
Subject: [SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


1. Log in to the QNAP. The user needs sufficient permissions to create
ZIP files.
2. Right-click on a file or directory and select "compress(ZIP)"
3. In the newly opened window, enter a name containing HTML codes like
blabla<img src=foo onError=alert(1)>
and press OK
4. The code is being executed directly after creating the ZIP.
5. Right-click on the ZIP-file and hover over 'Extract".
Again, the code is being executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Vulnerability report updated to fix error in "hover over" 
description.
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
    http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-050
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/
    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz@...s.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV//
Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M
Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM
49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT
VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G
zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM=
=xxMF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ