lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 25 Jul 2015 18:05:24 +1000
From: Mark Cross <mark@...ozobo.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE Requested: Reflected Cross-Site Scripting (XSS) in QNAP
 TS-x09 Turbo NAS

On the 7th of July 2015 I discovered a reflected cross-site scripting
(XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices.
Full disclosure was undertaken with the vendor and a CVE-ID has been
requested from Mitre.

CVE-ID: requested via PGP email

7th July 2015
Author: Mark Cross
Twitter: @xerubus
WWW: www.mogozobo.com
Reference: http://www.mogozobo.com/?p=2574

====================
Summary
====================

A reflected Cross-Site scripting vulnerability was found in QNAP
TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO and
PRO-II models running <= Version 3.3.3 Build 1003T. A vulnerability in
the sid variable in cgi-bin/user_index.cgi and cgi-bin/index.cgi
allows a remote unauthenticated attacker to inject arbitrary
JavaScript which is executed server-side by escaping from the
quotation marks.

====================
Disclosure Timeline
====================

07 July 2015
– Requested PGP from vendor via website for secure communications.
– Requested CVE identifier from MITRE via PGP.

08 July 2015
– Received email from vendor with security contact and PGP key.
– Received email from Mitre requesting further information.
– Emailed vendor full vulnerability details via PGP email
– Emailed further details to Mitre as requested.

10 July 2015
– Emailed security contact for confirmation of receipt of previous email

13 July 2015
– Requested acceptance and mutually agreeable disclosure period

21 July 2015
– Vendor advised they will not be releasing a new firmware.
– Advised vendor public disclosure date will be Friday 24th July 2015

24 July 2015
– Provided MITRE will full vulnerability details
– Advised MITRE that vendor will not be patching vulnerability
– Re-requested CVE-IDs be released
- Vulnerability published on mogozobo.com
- Vulnerability publicly disclosed via Full Disclosure mailing list.


====================
Status
====================

Published

====================
Tested versions
====================

This vulnerability was tested on the following QNAP devices:

– TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T
– TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T
– TS-409 and TS-409U Version 3.3.2 Build 0918T

====================
Details
====================

The QNAP NAS Management Software, embedded as firmware, is accessible
via a web-based interface on all Turbo NAS devices. A vulnerability in
the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi
allows a remote unauthenticated attacker to inject arbitrary
JavaScript which is executed server-side by escaping from the
quotation marks.

An attacker may exploit the reflected XSS vulnerability to cause a
victim to execute the malicious JavaScript code within the user’s
browser. The malicious code can perform, but is not limited to,
stealing a victim’s session token or login credentials, log the
victim’s keystrokes, or perform arbitrary actions on the victim’s
behalf.

====================
Vulnerable URLs:
====================

http://target:8080/cgi-bin/user_index.cgi
http://target:8080/cgi-bin/index.cgi

====================
XSS Proof-of-concept (POC)
====================

The following proof-of-concept (POC) demonstrates the injection:

http://target:8080/cgi-bin/user_index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f
http://target:8080/cgi-bin/index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f

# Example

$ curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.8.0"
'http://<redacted>:8080/cgi-bin/user_index.cgi?sid=";alert("XSS")//'
-s | grep XSS

var sid = "";alert("XSS")//";

====================
Vulnerability solution
====================

QNAP have advised that they will not release a new firmware to address
the vulnerabilities.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists