Subscriber Discussion
0-Day Critical Vulnerability In QNAP
QNAP NAS devices suffer from a critical Heap Overflow in "cgi.cgi" and non critical stack crash in "jc.cgi and mediaGet.cgi".
Successful exploitation of this heap overflow vulnerability can lead to unauthorised root (admin) privileges on QNAP devices with anonymous access. (no credential needed to exploit)
#1, thanks for sharing. I edited the title and inserted the summary into the opening to make it clear. Let me know if that works.
I'd email someone at QNAP but I don't know who to speak with. It has been so long since I talked to anyone at QNAP and I am not sure who is there.
So is there input sanitizing/bounds checking of the GET string, and that's the reason to inline the backquoted loop?
Remotely execute code (aka bind/remote shell) is highly unlikely (I would even dare to say impossible), but read the password hash and crackable with "John" - that's one step below - is fully functional.
Only difference between these two is time.
Fujitsu has available patched FW for newer HW since 10/01/2017, QNAP not yet for QTS 4.x & QVR 5.x
SRC=FTS_FirmwareQR806_42320170110_1174887.IMG, DEST=QR806_42320170110
----------------------------------------------
decrypting 'FTS_FirmwareQR806_42320170110_1174887.IMG' to 'QR806_42320170110/FTS_FirmwareQR806_42320170110_1174887.IMG.tgz' using PC1 tool ...
Using 120-bit encryption - (QNAPNASVERSION4)
len=1048576
model name = QR806
version = 4.2.3
----------------------------------------------
extracting 'QR806_42320170110/FTS_FirmwareQR806_42320170110_1174887.IMG.tgz' into 'QR806_42320170110/fw'...
Another qnap vulnerability Thousands of QNAP NAS devices have been infected with the QSnatch malware | ZDNet
Newest Discussions
Discussion | Posts | Latest |
---|---|---|
Started by
John Honovich
|
7
|
less than a minute by John Honovich |
Started by
John Honovich
|
1
|
less than a minute by John Honovich |
Started by
Charles Rollet
|
3
|
less than a minute by John Honovich |
Started by
Donald Maye
|
252
|
less than a minute by Donald Maye |
Started by
Undisclosed Integrator #1
|
7
|
about 1 hour by Undisclosed Integrator #3 |