QNAP QTS 4.2.0 Build 20160311 / Build 20160601 Cross Site Scripting
Posted on 18 August 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-050 Product: QNAP QTS Manufacturer: QNAP Affected Version(s): 4.2.0 Build 20160311 and Build 20160601 Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812 Vulnerability Type: Persistent Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: unfixed Manufacturer Notification: 2016-06-03 Solution Date: tbd. Public Disclosure: 2016-08-18 CVE Reference: Not assigned Author of Advisory: Sebastian Nerz (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: QTS is the operating system used by manufacturer QNAP on its series of NAS devices (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found a persistent/stored cross-site scripting vulnerability in the file viewer component of the QTS administrative interface. This type of vulnerability allows an attacker to store active content like JavaScript on the system, executing the code in the browser of visitors viewing the affected page. The code can then be used to e.g. execute commands in the scope of the user, infect the users browser and so on. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in to the QNAP. The user needs sufficient permissions to create ZIP files. 2. Right-click on a file or directory and select "compress(ZIP)" 3. In the newly opened window, enter a name containing HTML codes like blabla<img src=foo onError=alert(1)> and press OK 4. The code is being executed directly after creating the ZIP. 5. Right-click on the ZIP-file and hover over 'Extract". Again, the code is being executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released any security update or patch so far. Administrators of QNAP QTS 4.2 installations should ensure that only trusted users/administrators have the neccessary permissions to create or rename directories. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-06-03: Vulnerability discovered and reported to manufacturer 2016-06-20: Vulnerability report confirmed by manufacturer 2016-06-22: Vulnerability report updated to fix error in "hover over" description. 2016-07-06: Manufacturer asked for timeline regarding a fix 2016-07-18: Manufacturer reminded about upcoming public disclosure 2016-08-18: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for QNAP QTS http://www.qnap.com/qts/4.2/en/ [2] SySS Security Advisory SYSS-2016-050 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sebastian Nerz of the SySS GmbH. E-Mail: sebastian.nerz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc Key ID: 0x9180FDB2 Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV// Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM 49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM= =xxMF -----END PGP SIGNATURE-----