0-Day Critical Vulnerability In QNAP

Undisclosed End User #1

QNAP NAS devices suffer from a critical Heap Overflow in "cgi.cgi" and non critical stack crash in "jc.cgi and mediaGet.cgi".
Successful exploitation of this heap overflow vulnerability can lead to unauthorised root (admin) privileges on QNAP devices with anonymous access. (no credential needed to exploit)

Login to read this IPVM discussion.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

John Honovich

IPVM | 01/03/17 06:20am

#*, ****** *** *******. * ****** *** ***** *** ******** the ******* **** *** ******* ** **** ** *****. *** me **** ** **** *****.

*'* ***** ******* ** **** *** * ***'* **** *** to ***** ****. ** *** **** ** **** ***** * talked ** ****** ** **** *** * ** *** **** who ** *****.

** ** ***** ***** **********/****** ******** ** *** *** ******, and ****'* *** ****** ** ****** *** ********** ****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/03/17 06:58am

*** **** ** ****, *** ***** **, *** ***** ******* of **** ****** ********.

*** ***** *** **** ** ****** *** ** ** ******** chars ** ******* ******, ******* ** "******** ****" +**** *****.

(**'* ******** *** *** **** ******, *** ********* ******** *** symlinked ** *** **** ****** (*********.***).

**********.*** -> *********.****
***.*** -> *********.****
**.*** -> *********.****
********.*** -> *********.****
********.*** -> *********.****
*******.*** -> *********.****
**********.*** -> *********.****

***** ** **** ******** (****** *******) ** ******** *** ***** password (****** ** **** ** ******* **********) ****'* ****** ** heap **** /***/******.

****** **** ** *** ****** "**** **-***+" *** ****** **** latest ** ******* *.*.* (***** ********)

[*****]
# **** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*-w * ; **** -** "*\***\***\***\***" | ****** -* *` HTTP/1.0\nHost: ***\*\*" | **** --*** ***.***.*.* *** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

[****]
#
**** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*0 ; **** -** "*\***\***\***\***" | ****** -* *` ****/*.*\*\*" | **** ***.***.*.* **** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

Undisclosed #2

In reply to Undisclosed End User #1 | 01/03/17 07:19am

** **** **** ******** *** * ***** *** ******** ** glibc ** ** *** ***.*** *********** *********** ****** *****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/03/17 07:24am

****'* ****** ***** ** ****** ********, ******* ** ** **** glibc, **'* ***** **** **** **** ******** *** **, *** it's ***.

Undisclosed End User #1

01/06/17 11:13pm

*****://***.****.***/**/*******/********.***?***=***

John Honovich

IPVM | In reply to Undisclosed End User #1 | 01/06/17 11:19pm

#*, **** ** *** ***** ** ****'* ********?

******** ************** **** ***** **** *** ************* ** *** ****** exploited

Undisclosed End User #1

01/06/17 11:26pm

******** ******* **** (*** ****/****** *****) ** ****** ******** (* would **** **** ** *** **********), *** **** *** ******** hash *** ********* **** "****" - ****'* *** **** ***** - ** ***** **********.

**** ********** ******* ***** *** ** ****.

Undisclosed End User #1

In reply to Undisclosed End User #1 | 01/06/17 11:32pm

**, *** "**** ********" *** "**** *** ******" :)

***** *** *** *********...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 06:49am

**, *** "**** ********" *** "**** *** ******" :)

**** *** ****** **** ******, *** **** *** *********** *******.

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 03:35pm

*****=?????

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 04:26pm

******** **** *******, ** ******* *** *** **** *** ****** :)

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 05:27pm

***** != *-***

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 11:46pm

******

Undisclosed #2

In reply to Undisclosed End User #1 | 01/08/17 01:15am

******

* **** ** *** ** ****** ******* *** *** ** finish...

*** ***:

#**** -* ****

******* **********.

#********* -** -**** -**

Undisclosed End User #1

01/18/17 06:57am

******* *** ********* ******* ** *** ***** ** ***** **/**/****, QNAP *** *** *** *** *.* & *** *.*

***=*************************************.***, ****=*****************
----------------------------------------------
********** '*************************************.***' ** '*****************/*************************************.***.***' ***** *** **** ...
***** ***-*** ********** - (***************)
***=*******
***** **** = *****
******* = *.*.*
----------------------------------------------
********** '*****************/*************************************.***.***' **** '*****************/**'...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/18/17 11:23am

*******

Undisclosed End User #1

02/03/17 01:44am

****://********.***/**************/****/***/*

Undisclosed #2

In reply to Undisclosed End User #1 | 02/03/17 02:28am

**, ** *** ****, *** **** *****:*****?

*** = ****************** :)

Undisclosed End User #1

In reply to Undisclosed #2 | 02/03/17 02:35am

***, ******* ******** *** ***** ;)

**** ***, * **** *** ;)

Discussion	Posts	Latest
New It Wont Be Long Before Hikvision Will Be Dominating The Access Control Industry Like They Already Are In Surveillance. Boom Shocka Locka! (9) Started by Sean Nelson	9	less than a minute by Michael Miller
Camera Quality Less Than Projected PPF - Why? What To Do? (13) Started by Dennis Ruban	13	less than a minute by Undisclosed Manufacturer #3
New Auto Tracking For Neighborhood Surveillance (8) Started by Undisclosed Integrator #1	8	less than a minute by Undisclosed Manufacturer #3
The Dahua "Hacked The World Over" Gag Graphic Was Uncalled For And Unprofessional (8) Started by Undisclosed Integrator #1	8	about 1 hour by Undisclosed #3
Best Place For Client Credit Checks (6) Started by Kenny Johnson	6	less than a minute by Undisclosed Manufacturer #1

Discussion

Posts

Latest

New

It Wont Be Long Before Hikvision Will Be Dominating The Access Control Industry Like They Already Are In Surveillance. Boom Shocka Locka! (9)

Started by Sean Nelson

less than a minute by Michael Miller

Camera Quality Less Than Projected PPF - Why? What To Do? (13)

Started by Dennis Ruban

less than a minute by Undisclosed Manufacturer #3

New

Auto Tracking For Neighborhood Surveillance (8)