[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABdo3paYhOaXLzqYjZkiEvwOYWurt=Lm3vj7BHVH_vSvs3nzsA@mail.gmail.com>
Date: Sat, 25 Jul 2015 18:05:24 +1000
From: Mark Cross <mark@...ozobo.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE Requested: Reflected Cross-Site Scripting (XSS) in QNAP
TS-x09 Turbo NAS
On the 7th of July 2015 I discovered a reflected cross-site scripting
(XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices.
Full disclosure was undertaken with the vendor and a CVE-ID has been
requested from Mitre.
CVE-ID: requested via PGP email
7th July 2015
Author: Mark Cross
Twitter: @xerubus
WWW: www.mogozobo.com
Reference: http://www.mogozobo.com/?p=2574
====================
Summary
====================
A reflected Cross-Site scripting vulnerability was found in QNAP
TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO and
PRO-II models running <= Version 3.3.3 Build 1003T. A vulnerability in
the sid variable in cgi-bin/user_index.cgi and cgi-bin/index.cgi
allows a remote unauthenticated attacker to inject arbitrary
JavaScript which is executed server-side by escaping from the
quotation marks.
====================
Disclosure Timeline
====================
07 July 2015
– Requested PGP from vendor via website for secure communications.
– Requested CVE identifier from MITRE via PGP.
08 July 2015
– Received email from vendor with security contact and PGP key.
– Received email from Mitre requesting further information.
– Emailed vendor full vulnerability details via PGP email
– Emailed further details to Mitre as requested.
10 July 2015
– Emailed security contact for confirmation of receipt of previous email
13 July 2015
– Requested acceptance and mutually agreeable disclosure period
21 July 2015
– Vendor advised they will not be releasing a new firmware.
– Advised vendor public disclosure date will be Friday 24th July 2015
24 July 2015
– Provided MITRE will full vulnerability details
– Advised MITRE that vendor will not be patching vulnerability
– Re-requested CVE-IDs be released
- Vulnerability published on mogozobo.com
- Vulnerability publicly disclosed via Full Disclosure mailing list.
====================
Status
====================
Published
====================
Tested versions
====================
This vulnerability was tested on the following QNAP devices:
– TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T
– TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T
– TS-409 and TS-409U Version 3.3.2 Build 0918T
====================
Details
====================
The QNAP NAS Management Software, embedded as firmware, is accessible
via a web-based interface on all Turbo NAS devices. A vulnerability in
the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi
allows a remote unauthenticated attacker to inject arbitrary
JavaScript which is executed server-side by escaping from the
quotation marks.
An attacker may exploit the reflected XSS vulnerability to cause a
victim to execute the malicious JavaScript code within the user’s
browser. The malicious code can perform, but is not limited to,
stealing a victim’s session token or login credentials, log the
victim’s keystrokes, or perform arbitrary actions on the victim’s
behalf.
====================
Vulnerable URLs:
====================
http://target:8080/cgi-bin/user_index.cgi
http://target:8080/cgi-bin/index.cgi
====================
XSS Proof-of-concept (POC)
====================
The following proof-of-concept (POC) demonstrates the injection:
http://target:8080/cgi-bin/user_index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f
http://target:8080/cgi-bin/index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f
# Example
$ curl -A "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.8.0"
'http://<redacted>:8080/cgi-bin/user_index.cgi?sid=";alert("XSS")//'
-s | grep XSS
var sid = "";alert("XSS")//";
====================
Vulnerability solution
====================
QNAP have advised that they will not release a new firmware to address
the vulnerabilities.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists