0-Day Critical Vulnerability In QNAP

Undisclosed End User #1

QNAP NAS devices suffer from a critical Heap Overflow in "cgi.cgi" and non critical stack crash in "jc.cgi and mediaGet.cgi".
Successful exploitation of this heap overflow vulnerability can lead to unauthorised root (admin) privileges on QNAP devices with anonymous access. (no credential needed to exploit)

Login to read this IPVM discussion.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

John Honovich

IPVM | 01/03/17 06:20am

#*, ****** *** *******. * ****** *** ***** *** ******** the ******* **** *** ******* ** **** ** *****. *** me **** ** **** *****.

*'* ***** ******* ** **** *** * ***'* **** *** to ***** ****. ** *** **** ** **** ***** * talked ** ****** ** **** *** * ** *** **** who ** *****.

** ** ***** ***** **********/****** ******** ** *** *** ******, and ****'* *** ****** ** ****** *** ********** ****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/03/17 06:58am

*** **** ** ****, *** ***** **, *** ***** ******* of **** ****** ********.

*** ***** *** **** ** ****** *** ** ** ******** chars ** ******* ******, ******* ** "******** ****" +**** *****.

(**'* ******** *** *** **** ******, *** ********* ******** *** symlinked ** *** **** ****** (*********.***).

**********.*** -> *********.****
***.*** -> *********.****
**.*** -> *********.****
********.*** -> *********.****
********.*** -> *********.****
*******.*** -> *********.****
**********.*** -> *********.****

***** ** **** ******** (****** *******) ** ******** *** ***** password (****** ** **** ** ******* **********) ****'* ****** ** heap **** /***/******.

****** **** ** *** ****** "**** **-***+" *** ****** **** latest ** ******* *.*.* (***** ********)

[*****]
# **** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*-w * ; **** -** "*\***\***\***\***" | ****** -* *` HTTP/1.0\nHost: ***\*\*" | **** --*** ***.***.*.* *** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

[****]
#
**** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*0 ; **** -** "*\***\***\***\***" | ****** -* *` ****/*.*\*\*" | **** ***.***.*.* **** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

Undisclosed #2

In reply to Undisclosed End User #1 | 01/03/17 07:19am

** **** **** ******** *** * ***** *** ******** ** glibc ** ** *** ***.*** *********** *********** ****** *****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/03/17 07:24am

****'* ****** ***** ** ****** ********, ******* ** ** **** glibc, **'* ***** **** **** **** ******** *** **, *** it's ***.

Undisclosed End User #1

01/06/17 11:13pm

*****://***.****.***/**/*******/********.***?***=***

John Honovich

IPVM | In reply to Undisclosed End User #1 | 01/06/17 11:19pm

#*, **** ** *** ***** ** ****'* ********?

******** ************** **** ***** **** *** ************* ** *** ****** exploited

Undisclosed End User #1

01/06/17 11:26pm

******** ******* **** (*** ****/****** *****) ** ****** ******** (* would **** **** ** *** **********), *** **** *** ******** hash *** ********* **** "****" - ****'* *** **** ***** - ** ***** **********.

**** ********** ******* ***** *** ** ****.

Undisclosed End User #1

In reply to Undisclosed End User #1 | 01/06/17 11:32pm

**, *** "**** ********" *** "**** *** ******" :)

***** *** *** *********...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 06:49am

**, *** "**** ********" *** "**** *** ******" :)

**** *** ****** **** ******, *** **** *** *********** *******.

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 03:35pm

*****=?????

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 04:26pm

******** **** *******, ** ******* *** *** **** *** ****** :)

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 05:27pm

***** != *-***

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 11:46pm

******

Undisclosed #2

In reply to Undisclosed End User #1 | 01/08/17 01:15am

******

* **** ** *** ** ****** ******* *** *** ** finish...

*** ***:

#**** -* ****

******* **********.

#********* -** -**** -**

Undisclosed End User #1

01/18/17 06:57am

******* *** ********* ******* ** *** ***** ** ***** **/**/****, QNAP *** *** *** *** *.* & *** *.*

***=*************************************.***, ****=*****************
----------------------------------------------
********** '*************************************.***' ** '*****************/*************************************.***.***' ***** *** **** ...
***** ***-*** ********** - (***************)
***=*******
***** **** = *****
******* = *.*.*
----------------------------------------------
********** '*****************/*************************************.***.***' **** '*****************/**'...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/18/17 11:23am

*******

Undisclosed End User #1

02/03/17 01:44am

****://********.***/**************/****/***/*

Undisclosed #2

In reply to Undisclosed End User #1 | 02/03/17 02:28am

**, ** *** ****, *** **** *****:*****?

*** = ****************** :)

Undisclosed End User #1

In reply to Undisclosed #2 | 02/03/17 02:35am

***, ******* ******** *** ***** ;)

**** ***, * **** *** ;)

Discussion	Posts	Latest
New How Would You Adjust This Camera For Capturing License Plates? (14) Started by Jay Hobdy	14	less than a minute by Undisclosed Integrator #4
New Camera Documentation (2) Started by Paresh Desai	2	less than a minute by Undisclosed #1
New Camera Choice For T Intersection / Hallway? (4) Started by Jay Hobdy	4	less than a minute by Campbell Chang
New Jinan Project — World First Unhackable Computer Network (4) Started by Michael Miller	4	about 10 hours by Undisclosed Manufacturer #2
As I Sit Waiting For An Hour For A Hikvision Reset Code (15) Started by keith maxwell	15	about 9 hours by Jon Dillabaugh

Discussion

Posts

Latest

New

How Would You Adjust This Camera For Capturing License Plates? (14)

Started by Jay Hobdy

less than a minute by Undisclosed Integrator #4

New

Camera Documentation (2)

Started by Paresh Desai

less than a minute by Undisclosed #1

New