SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Based on Linux, QNAP QTS 4 is a powerful operating system deployed on all QNAP Turbo NAS devices to bring performance and enhanced functionalities under an easy-to-use web GUI. QTS allows traditional NAS capabilities, in addition to advanced sharing features and mobile platforms support. Moreover, QTS supports custom applications to expand NAS functionalities for sharing and media streaming.
On top of a traditional Linux kernel (3.4.6, x86 64), QTS 4 provides NAS capabilities implemented in user-land and a web-based UI built using cgi-bin technology. Although SSH access is available on all QNAP devices, it is possible to completely manage the device using the web interface.
From the technical standpoint, QTS 4 web UI consists of two main components:
- A web server thttpd and CGI binaries. In the default configuration, this service runs as ”admin”, a user with root permissions. On 80/tcp, the web server hosts a set of scripts to perform a redirect to port 8080/tcp. The service is also available over SSL (443/tcp) using Apache configured as a reverse-proxy, pointing to 8080/tcp. The webroot is located at /home/httpd.
$ ps aux | grep thttpd
5671 admin 3828 S /usr/local/sbin/Qthttpd -p 80 -nor -nos -u admin -d /home/Qhttpd -c **.*
5716 admin 3916 S /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid
- A set of custom binaries and standard Linux utilities (e.g. ldapsearch) that are invoked from the CGI scripts, to perform required tasks
By default, the web interface is available from remote hosts with no network filtering.
A code injection vulnerability has been discovered in the current version of QNAP QTS 4. As mentioned, this vulnerability affects all QNAP NAS products using LDAP authentication. Valid credentials are NOT required in order to exploit this issue, allowing a remote attacker to execute arbitrary system commands as root.