Experts found an RCE vulnerability in QNAP Q’center

Researchers at cybersecurity firm Shielder discovered a remote code execution on QNAP Q’center through a manipulated QPKG installation package.

Researchers at cybersecurity firm Shielder discovered a remote code execution flaw on QNAP Q’center through a manipulated QPKG installation package. The vulnerability was discovered by the cyber security expert`zi0Black` from Shielder

Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.

QNAP Q’center allows to upload and install QPKG packages.

Experts noticed that opening a QPKG file with a hex editor it is possible to analyze the structure which is composed of an initial script that ends with exit 10 followed by a tar.gz archive.

“As the initial script seems to rule the archive extraction it is legitimate to think that it is extracted from the QPKG file and executed to extract what follows.” reads the post published by Shielder.

The QNAP Q’center is available as a WMware appliance and according to the researchers, it is possible to extract the Python code directly from its disk. The experts shared a python code that they extracted from the disk that is used to check a QKPG when it is uploaded to the Q’center.

The QPKG file could be interpreted as a shell script and its content could be executed on the vulnerable instance.

“The function extracts the update file (a tar.gz containing the QPKG one) at [2] and [3], then it executes the system command /bin/sh /path/to/QPKG_file.” continues the post. “As stated before the QPKG file could be interpreted as a shell script, so its content is executed on the Q’center instance, allowing to execute arbitrary commands on it.”

The researchers announced they will release the PoC exploit code on their repo, it could allow attackers to execute arbitrary command on the Q’center instance.

A privilege attacker could obtain command execution on a Q’center instance.

The flaw impacts the QNAP Q’center Virtual Appliance version 1.12.1014. Shielder reported the flaw to QNAP which promptly addresses the issue. Below the timeline for this vulnerability:

23/01/2021: Vulnerability report is sent to QNAP
10/03/2021: QNAP acknowledges issue
11/03/2021: Shielder and QNAP agree on the impact of the vulnerability
03/06/2021: Shielder’s advisory is made public

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP Q’center)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.