The QNAP Android applications Qnotes 1.1.8.0128 and Qget 2.0.1.1029 suffer from unintended data leakage. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the back-end NAS device.
Additionally, both applications suffer from OWASP M7 (2014), Client Side Injection. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the backend NAS device.
Introduction
Notes Station is a QNAP authored application that runs on a wide range of QNAP NAS storage appliances. It is an online note taking application that lets you create notes on a QNAP NAS. You can save and edit your notes from a PC or mobile device, its offered as a free install via the QNAP App Center, and at the time of writing has been installed by approximately 195K users.

Notes Station 2.0

Figure 1: QNAP Notes Station Website


The QNAP android application Qnotes acts as client to the NAS based system, is hosted on the Google Play Store, and at the time of writing has been installed by 10,000-50,000 users.
Qnotes

Figure 2: Qnotes Google Play Store


 
Download Station is a QNAP authored application that runs on a wide range of QNAP NAS storage appliances. It is designed to download remote files via numerous protocols/peer-to-peer networks. It is offered as a free install via the QNAP App Center, and at the time of writing has been installed by approximately 950K users.
QNAP Download Station

Figure 3: QNAP Download Station App Center


The QNAP Android application Qget acts as a client to the NAS based system, is hosted on the Google Play Store, and at the time of writing has been installed by 50,000-100,000 users.
Qget

Figure 4: Qget Goggle Play Store


Vulnerability – OWASP M4 (2014) Unintended Data Leakage
In order to improve security Android implements an application sandbox, which isolates each application’s data and code execution. It is however recognised that there will be times when data exchange is required and interfaces are provided. Thus when Android applications want to share data they “publish” a content provider, a standard interface for data exchange. They use insert(), query(), update(), and delete() methods to access the data and have a URI starting with “content://”. Any application that knows this URI can insert, update, delete, and query data from the database of the provider app if it is exported and not suitably protected.
Using the open-source tool drozer, the applications were audited for content providers. One was identified for each application.
Qnotes Exports 1

Figure 5: Qnotes Exports One Content Provider


Qnotes Exports 2

Figure 6: Qget Exports One Content Provider


A large number of URIs was identified.
Qnotes Exports 3

Figure 7: Qnotes Identified URI’s


Qnotes Exports 4

Figure 8: Qget Identified URI’s


A number were queried. It was possible to retrieve notes without authentication.
Retrieving Cached Notes

Figure 9: Retrieving Cached Notes


Additionally a username and Base64 encoded password was identified for Qnotes. This was not only valid for the application, but also across the backend NAS. In this case it was the device’s administrator account.
Qnotes Applications

Figure 10: Qnotes Application/NAS Credentials


Similarly for Qget it was possible to identify a valid username (not Base64 encoded), which related to both the application and backend NAS.
Qget Applications

Figure 11: Qget Application / NAS Credentials


Vulnerability – OWASP M7 (2014) Client Side Injection
SQL injection (SQLi) is a code injection technique in which malicious SQL statements are inserted into an input for execution by a database. The Android platform promotes the use of SQLite and as such can be vulnerable. Content providers often provide an interface to these client side databases and as such can be the initial input vector.
Again using the open-source tool drozer content providers for both Qget and Qnotes were audited for SQLi. By making queries using a “magic quote” each was observed to be vulnerable via multiple content providers.
Qget Vulnerbale SQLi

Figure 12: Qget Vulnerable to SQLi


Qnotes Vulnerable SQLI

Figure 13: Qnotes Vulnerable to SQLi


Using this vulnerability it was possible to retrieve all data, including credentials valid for the application and backend NAS.
Qget-NAS

Figure 14: Qget/NAS Credentials via SQLi


Qnotes-NAS

Figure 15: Qnotes/NAS Credentials via SQLi


Summary
Qnotes and Qget suffer from OWASP M4 (2014) Unintended Data Leakage and OWASP M7 (2014) Client Side Injection. This grants a malicious process the opportunity to gain access to cached data and logon credentials for the backend NAS device. All testing took place on a non-rooted Moto G 3rd Generation phone running Android 5.1.1 against Qnotes 1.1.8.0128 and Qget 2.0.1.1029. The NAS was running Note Station 2.1.10 and Download Station 4.2.1. System users should contact the vendor for a fix.
The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed.
Timeline

• QNAP informed via email 06/04/2016
• QNAP contacted via email advising agreed publication date approaching 30/05/2016
• Vulnerability disclosed 07/06/2016
References

• QNAP Qnotes – https://play.google.com/store/apps/details?id=com.qnap.qnote&hl=en_GB
• QNAP Notes Station – https://www.qnap.com/event/station/en/notes.php
• QNAP Qget – https://play.google.com/store/apps/details?id=com.qnap.com.qgetpro&hl=en_GB
• Drozer – https://github.com/mwrlabs/drozer
• OWASP Mobile Top 10 2014-M4 – https://www.owasp.org/index.php/Mobile_Top_10_2014-M4
• OWASP Mobile Top 10 2014-M7 – https://www.owasp.org/index.php/Mobile_Top_10_2014-M7