0-Day Critical Vulnerability In QNAP

Undisclosed End User #1

QNAP NAS devices suffer from a critical Heap Overflow in "cgi.cgi" and non critical stack crash in "jc.cgi and mediaGet.cgi".
Successful exploitation of this heap overflow vulnerability can lead to unauthorised root (admin) privileges on QNAP devices with anonymous access. (no credential needed to exploit)

Login to read this IPVM discussion.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

John Honovich

IPVM | 01/02/17 10:20pm

#*, ****** *** *******. * ****** *** ***** *** ******** the ******* **** *** ******* ** **** ** *****. *** me **** ** **** *****.

*'* ***** ******* ** **** *** * ***'* **** *** to ***** ****. ** *** **** ** **** ***** * talked ** ****** ** **** *** * ** *** **** who ** *****.

** ** ***** ***** **********/****** ******** ** *** *** ******, and ****'* *** ****** ** ****** *** ********** ****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/02/17 10:58pm

*** **** ** ****, *** ***** **, *** ***** ******* of **** ****** ********.

*** ***** *** **** ** ****** *** ** ** ******** chars ** ******* ******, ******* ** "******** ****" +**** *****.

(**'* ******** *** *** **** ******, *** ********* ******** *** symlinked ** *** **** ****** (*********.***).

**********.*** -> *********.****
***.*** -> *********.****
**.*** -> *********.****
********.*** -> *********.****
********.*** -> *********.****
*******.*** -> *********.****
**********.*** -> *********.****

***** ** **** ******** (****** *******) ** ******** *** ***** password (****** ** **** ** ******* **********) ****'* ****** ** heap **** /***/******.

****** **** ** *** ****** "**** **-***+" *** ****** **** latest ** ******* *.*.* (***** ********)

[*****]
# **** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*-w * ; **** -** "*\***\***\***\***" | ****** -* *` HTTP/1.0\nHost: ***\*\*" | **** --*** ***.***.*.* *** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

[****]
#
**** -** "*** /***-***/***.***?*=*****&*=`***((*=*;*0 ; **** -** "*\***\***\***\***" | ****** -* *` ****/*.*\*\*" | **** ***.***.*.* **** | **** *****
*** ***** ******** *** $*$$************/*********: ****(): ******* **** **** (******): 0x0806e510 ***
#

Undisclosed #2

In reply to Undisclosed End User #1 | 01/02/17 11:19pm

** **** **** ******** *** * ***** *** ******** ** glibc ** ** *** ***.*** *********** *********** ****** *****?

Undisclosed End User #1

In reply to Undisclosed #2 | 01/02/17 11:24pm

****'* ****** ***** ** ****** ********, ******* ** ** **** glibc, **'* ***** **** **** **** ******** *** **, *** it's ***.

Undisclosed End User #1

01/06/17 03:13pm

*****://***.****.***/**/*******/********.***?***=***

John Honovich

IPVM | In reply to Undisclosed End User #1 | 01/06/17 03:19pm

#*, **** ** *** ***** ** ****'* ********?

******** ************** **** ***** **** *** ************* ** *** ****** exploited

Undisclosed End User #1

01/06/17 03:26pm

******** ******* **** (*** ****/****** *****) ** ****** ******** (* would **** **** ** *** **********), *** **** *** ******** hash *** ********* **** "****" - ****'* *** **** ***** - ** ***** **********.

**** ********** ******* ***** *** ** ****.

Undisclosed End User #1

In reply to Undisclosed End User #1 | 01/06/17 03:32pm

**, *** "**** ********" *** "**** *** ******" :)

***** *** *** *********...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/06/17 10:49pm

**, *** "**** ********" *** "**** *** ******" :)

**** *** ****** **** ******, *** **** *** *********** *******.

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 07:35am

*****=?????

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 08:26am

******** **** *******, ** ******* *** *** **** *** ****** :)

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 09:27am

***** != *-***

Undisclosed End User #1

In reply to Undisclosed #2 | 01/07/17 03:46pm

******

Undisclosed #2

In reply to Undisclosed End User #1 | 01/07/17 05:15pm

******

* **** ** *** ** ****** ******* *** *** ** finish...

*** ***:

#**** -* ****

******* **********.

#********* -** -**** -**

Undisclosed End User #1

01/17/17 10:57pm

******* *** ********* ******* ** *** ***** ** ***** **/**/****, QNAP *** *** *** *** *.* & *** *.*

***=*************************************.***, ****=*****************
----------------------------------------------
********** '*************************************.***' ** '*****************/*************************************.***.***' ***** *** **** ...
***** ***-*** ********** - (***************)
***=*******
***** **** = *****
******* = *.*.*
----------------------------------------------
********** '*****************/*************************************.***.***' **** '*****************/**'...

Undisclosed #2

In reply to Undisclosed End User #1 | 01/18/17 03:23am

*******

Undisclosed End User #1

02/02/17 05:44pm

****://********.***/**************/****/***/*

Undisclosed #2

In reply to Undisclosed End User #1 | 02/02/17 06:28pm

**, ** *** ****, *** **** *****:*****?

*** = ****************** :)

Undisclosed End User #1

In reply to Undisclosed #2 | 02/02/17 06:35pm

***, ******* ******** *** ***** ;)

**** ***, * **** *** ;)

Discussion	Posts	Latest
What Face Recognition Has VMS Integration, Open API, And Good Accuracy? (7) Started by Frederick Jacobs	7	2 minutes by Undisclosed Manufacturer #2
IR LED Has Red Glow (6) Started by Undisclosed End User #1	6	2 minutes by Carl Kristoffersen
Video Surveillance Vulnerabilities Class Recorded (5) Started by Sean Patton	5	less than a minute by Kelly Russell
Looking For Vandalproof IR PTZ? (3) Started by Ian UBS	3	less than a minute by Sean Patton
New Does Anyone Know What VMS Is Most Used In Retail In The US? (6) Started by Frederick Jacobs	6	less than a minute by Chalon Dilber

Discussion

Posts

Latest

What Face Recognition Has VMS Integration, Open API, And Good Accuracy? (7)

Started by Frederick Jacobs

2 minutes by Undisclosed Manufacturer #2

IR LED Has Red Glow (6)

Started by Undisclosed End User #1

2 minutes by Carl Kristoffersen

Video Surveillance Vulnerabilities Class Recorded (5)

Started by Sean Patton

less than a minute by Kelly Russell