QNAP Pre-Auth Root RCE Affecting ~312K Devices on the Internet

In 2019, I discovered multiple vulnerabilities in QNAP Photo Station and CGI programs. These vulnerabilities can be chained into a pre-auth root RCE, which means an attacker could run code as root remotely without logging in. CyCraft was able to find this bug by giving its researchers 10% of their work time to bug hunting and bounties to keep their skills sharp and relevant.

All QNAP NAS models are vulnerable, and there are ~312K vulnerable QNAS NAS instances on the Internet (see statistical prediction below). These vulnerabilities have been responsibly reported, fixed, and assigned the following CVEs:

• CVE-2019–7192 (CVSS 9.8)
• CVE-2019–7193 (CVSS 9.8)
• CVE-2019–7194 (CVSS 9.8)
• CVE-2019–7195 (CVSS 9.8).

This article is the first public disclosure, focusing on only three of the vulnerabilities as they’re enough to achieve pre-auth root RCE.

‍

Impact

Vulnerable Instances

The following Shodan search reveals 564,000 QNAP instances on the Internet. Among those, 590 of 1065 randomly chosen instances have Photo Station enabled. (Checked via GET /photo/slideshow.php responding with Invalid album selection) Statistically speaking, with 95% confidence and a 3% margin of error, there should be approx. 312K instances with Photo Station enabled, which were all vulnerable at the time of discovery (2019).

‍

‍

Affected Photo Station Versions

All downloadable versions before the fixed ones (6.0.3, 5.2.11, 5.4.9) were affected.

Visit QNAP’s Security Advisory for details concerning version info and how to fix the vulnerabilities.

‍

Redaction

This article has been greatly redacted as requested by QNAP PSIRT to give more users extended lead time to get patched.

Now, let’s take a look at the 3 vulnerabilities that will later be chained to make a pre-auth root RCE.

‍

Vulnerability 1: Pre-Auth Local File Disclosure (Effectively a Login Bypass)

‍

Upgrading the Pre-Auth Local File Disclosure to Privilege Escalation (Login Bypass)

We can use this pre-auth local file disclosure to read a magic file that contains a login token, which we can use to authenticate as a valid builtin user appuser.

Magic file [redacted]:

[redacted]

• the file content won’t change after factory reset
• the file is generated when [redacted] succeeds for the first time
• [redacted] is encrypted
• PhotoStation caches a plaintext version of [redacted] in [redacted]

[redacted]

Therefore, we can use vulnerability 1 to read the cached plaintext token to bypass the login and authenticate as appuser:

[Redacted: picture of authentication bypass]

With this trick, vulnerability 1 is actually an authentication bypass.

Quick recap:

• [redacted]
• [redacted]
• [redacted]

‍

Vulnerability 2: Authenticated Session Tampering — Writing PHP Code to Session

Being authenticated as appuser gives us access to the SMTP setting, which has an improper filtering in the email string. An authenticated attacker can [redacted], and this can be chained in the next vulnerability, or other file inclusion vulnerabilities (e.g. [redacted]).

‍

POC: Authenticated Session Tampering

[Redacted picture of session tampering]

‍

Vulnerability 3: (Pre-Auth) Writing Session to Arbitrary Location

This section is redacted due to the request of QNAP PSIRT.

This vulnerability enables an unauthenticated attacker to write session contents ([redacted]) to arbitrary location on the server.

Vulnerable code:

[Redacted]

POC: Writing Session to Arbitrary Location

[Redacted]

‍

Chaining for Pre-Auth Root RCE

• Use vulnerability 1 to bypass authentication and authenticate as appuser
• Use vulnerability 2 to put [redacted] code (via SMTP email) in [redacted] session ([redacted])
• Use vulnerability 3 to write the polluted [redacted] session to Photo Station’s web directory to make a webshell

[redacted]

‍

Disclosure

• 2019/06/14: reported technical details to QNAP

• 2019/12/16: vendor fixed all 4 vulnerabilities, offered to provide a bounty (the amount is concealed due to the bounty terms)

• 2019/12/31: got bounty

• 2020/05/19: public disclosure

• 2020/06/09: details of vulnerability 1 is redacted due to vendor’s request

• 2020/06/10: details of vulnerability 2 & 2 are redacted due to vendor’s request

• 2020/06/19: more redaction due to vendor’s request

‍

Conclusion

Three vulnerabilities are chained to get this pre-auth root RCE in QNAP Photo Station, and it works on all QNAP’s NAS models. Several tricks for exploiting QNAP products are also disclosed. Hopefully, QNAP fixes running the web server as root; otherwise, I’m pretty sure there will be more high-CVSS CVEs coming up.

QNAP probably needs to conduct a thorough security auditing of their code base and configuration, as their CGI programs and PHP code contain lots of instances of string concatenation without proper sanitization, which is a textbook example of injection that every hacker learns the first day they start hacking.

PHP is an excellent language full of features that make programming easier, but it can sometimes cause unexpected behavior of which many PHP users aren’t aware of, e.g. file stream wrappers, tsrm_realpath, etc. The latter part is what made PHP notorious for security issues: Convenience often contradicts security.

‍

Other Vulnerabilities Discovered by CyCraft:

Our research team jokingly refer to their 10% bug hunting time as our “Bug Bounty Hunting Happy Hour.” Other vulnerabilities discovered during “happy hour” include:

• phpmyadmin 4.8.0~4.8.1

• RCE pre-auth root RCE in Synology

‍

Key Takeaways:

• UPGRADE YOUR QNAP NAS NOW, if you haven’t already

• [redacted]

• There is a way to decrypt [redacted], but we’ll leave it as your homework

• QNAP’s web server runs as [redacted]

• [redacted] might give you some more 0days

‍

Vendor Advisory

https://www.qnap.com/zh-tw/security-advisory/nas-201911-25