QNAP QTS Domain Privilege Escalation Vulnerability

Pierluigi Paganini March 24, 2017

The vulnerability allows any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator if the NAS is a domain member.

Pasquale ‘sid’ Fiorillo from ISGroup (www.isgroup.biz), an Italian
Security Company, and Guido ‘go’ Oricchio of PCego (www.pcego.com), a
System Integrator, have just released a critical security advisory for
any version of QNAP NAS prior to 4.2.4 Build 20170313
(https://www.qnap.com/en/support/con_show.php?cid=113).

QNAP NAS

QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage devices from anywhere. QTS is a QNAP device proprietary firmware based on Linux.

The issue involves all the QNAP NAS (all models and all versions) that are members of a Microsoft Active Directory and allows a local QTS admin user, or other low privileged user (such as “httpdusr” used to run web application) to access configuration file that includes a bad crypted Microsoft Domain Administrator password.

The affected component is the “uLinux.conf” configuration file, created
with a world-readable permission used to store a Domain Administrator
password.

This password is stored in the file obfuscated by a simple XOR cypher
and base64 encoded.

“The vulnerability allows a local QTS admin user, or other low privileged user, to access configuration file that includes a bad crypted Microsoft Domain Administrator password if the NAS was joined to a Microsoft Active Directory domain.” reads the advisory. “The affected component is the “uLinux.conf” configuration file, created with a world-readable permission used to store a Domain Administrator password. Admin user can access the file using ssh that is enabled by default. Other users are not allowed to login, so they have to exploit a component, such as a web application, to run arbitrary command or arbitrary file read. Anyone is able to read uLinux.conf file, world readable by default, can escalate to Domain Administrator if a NAS is a domain member.”

Users are strongly advised to update their systems to the latest version released by the vendor
(https://www.qnap.com/en/support/con_show.php?cid=113).

The Official advisory is available at: http://www.ush.it/team/ush/hack-qnap/qnap.txt

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – QNAP NAS, hacking)



you might also like

leave a comment