QNAP TS-239 Firmware 3.3.1 Build 0720T - multiple vulnerabilities

Multiple security vulnerabilities exist in the QNAP TS-239 Pro network attached storage device which could allow an attacker to take control of the device if a user with administrator privileges browses a malicious web page.

Device

Model Name: QNAP TS-239

Firmware 3.3.1 Build 0720T

Manufacturer website: http://www.qnap.com/

Model Specific: The same user interface is in use on other QNAP NAS models. These models are likely to be affected.

Tested

Affected

Vulnerabilities

Administration Panel

Unpatched as of Firmware 3.3.1 Build 0720T

Information Disclosure - Hardware version:

Information Disclosure - Network shares (including hidden shares):

Multimedia Station

Information Disclosure - Directory Traversal vulnerability:

This information disclosure issue was patched on Firmware 3.3.1 Build 0720T. Previous versions are vulnerable.

List folder contents. Affects Multimedia Station admin account only.

Cross Site Scripting vulnerabilities - Affects Multimedia Station admin account only

These XSS issues were patched on Firmware 3.3.1 Build 0720T. Previous versions are vulnerable.

Reflected XSS:

Persistant XSS:

The XSS payload is persistent in user_list.cgi and user_info.cgi

Cross Site Request Forgery vulnerability - Affects Multimedia Station admin account only

This CSRF issue was patched on Firmware 3.3.1 Build 0720T. Previous versions are vulnerable.

Create a user. The description paramater can also be used to inject persistant XSS:

For example, this URL will create a user "asdf" with password "asdfasdf" :

Cross Site Request Forgery vulnerabilities - Affects all Multimedia Station accounts

These CSRF issues were patched on Firmware 3.3.1 Build 0720T. Previous versions are vulnerable.

Arbitrary file moving/renaming:

For example, this URL will rename /etc/passwd to /etc/passwd2

Arbitrary folder creation:

For example, this URL will create /asdf directory

TwonkyVision

Unpatched as of Firmware 3.3.1 Build 0720T

Twonky Vision distributed with QNAP TS-239 is vulnerable to reflected cross site scripting.

Proof of concept

In versions prior to Firmware 3.3.1 Build 0720T an attacker could combine these vulnerabilities to add a PHP Backdoor, steal files or stop some services on the device.

PHP Backdoor:

The "Network Recycle Bin 1" and "Public" shared directories are guest-writeable by default. An attacker can create a PHP backdoor with httpdusr permissions using CSRF if there is a writable share and the Web Server and Multimedia Station applications are enabled.

The attacker uploads a generic PHP backdoor (a.php in this example) to the Public share. The attacker then tricks a user into moving the backdoor to the Qweb share using the aforementioned arbitrary file moving/renaming CSRF vulnerability:

Now the attacker can execute commands with httpdusr permissions. Reading the shadow file, for example:

Denial of Service:

Tricking a user into moving /etc/shadow will lock users out.

Moving /bin/busybox causes the device to beep continuously.

Vendor Notification:

2010-04-20 10:55 PM : QNAP (support@qnap.com)

Subject: multiple security vulnerabilities - QNAP TS-239 Firmware 3.2.5 Build 0410T

Replies: None [ No deadline given ]

2010-07-21 : QNAP has released the v3.3.1 Build0720 official firmware for TS-239.

Multiple issues fixed (not mentioned in the changelog). Information disclosure and cross site scripting vulnerabilities remain.

Reference

OWASP: Cross Site Request Forgery

OWASP: Cross Site Scripting

OWASP: Default Passwords

OWASP: Denial of Service

OWASP: Information Disclosure

OWASP: Unrestricted File Upload