QNAP QTS Domain Privilege Escalation Vulnerability

The vulnerability allows any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator if the NAS is a domain member.

Pasquale ‘sid’ Fiorillo from ISGroup (www.isgroup.biz), an Italian
Security Company, and Guido ‘go’ Oricchio of PCego (www.pcego.com), a
System Integrator, have just released a critical security advisory for
any version of QNAP NAS prior to 4.2.4 Build 20170313
(https://www.qnap.com/en/support/con_show.php?cid=113).

QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage devices from anywhere. QTS is a QNAP device proprietary firmware based on Linux.

The issue involves all the QNAP NAS (all models and all versions) that are members of a Microsoft Active Directory and allows a local QTS admin user, or other low privileged user (such as “httpdusr” used to run web application) to access configuration file that includes a bad crypted Microsoft Domain Administrator password.

The affected component is the “uLinux.conf” configuration file, created
with a world-readable permission used to store a Domain Administrator
password.

This password is stored in the file obfuscated by a simple XOR cypher
and base64 encoded.

“The vulnerability allows a local QTS admin user, or other low privileged user, to access configuration file that includes a bad crypted Microsoft Domain Administrator password if the NAS was joined to a Microsoft Active Directory domain.” reads the advisory. “The affected component is the “uLinux.conf” configuration file, created with a world-readable permission used to store a Domain Administrator password. Admin user can access the file using ssh that is enabled by default. Other users are not allowed to login, so they have to exploit a component, such as a web application, to run arbitrary command or arbitrary file read. Anyone is able to read uLinux.conf file, world readable by default, can escalate to Domain Administrator if a NAS is a domain member.”

Users are strongly advised to update their systems to the latest version released by the vendor
(https://www.qnap.com/en/support/con_show.php?cid=113).

The Official advisory is available at: http://www.ush.it/team/ush/hack-qnap/qnap.txt

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – QNAP NAS, hacking)