QNAP NAS – Remote Unauthenticated User to Admin Shell: Part 2

tl;dr
A number of security vulnerabilities have been identified in two applications hosted on the QNAP App Center. When combined it is possible for a remote unauthenticated user to gain interactive remote administrative access and take full control of the device.
Introduction
In the previous blog post, it was shown that the Logitech Media Server (7.7.2) App suffers from Shellshock. The situation is further aggravated by the developer’s decision not to implement the chroot configuration option. However, the account that the application runs under and thus the Bash commands are executed under, does not have root/administrative permissions.
The ultimate objective of exploit development is to gain a root/administrative remote shell, thus leaving no room for debate on the seriousness of the issue. The system has been completely exploited and is under the full control of the attacker. End of story, no debate. With this in mind, I began to examine the system to identify a means to execute a reverse-shell and gain privileged credentials.
Vulnerability 1 – Weak Folder Permissions iStat 0.5.7
The iStat application is used to monitor system resource utilisation. The user is free to decide what is monitored and to what level. The data is displayed via a web interface that is hosted on the device’s main web server. It is accessed via http://<ip_address>/istat/login.php.
A traditional or bind shell instructs a machine to open a command shell, present it on a port and wait for inbound connections. Thus granting a user or for that matter an attacker, interactive access. However, with the widespread adoption of firewalls their effectiveness has become somewhat limited, as inbound connections are highly controlled. In contrast, a reverse shell rather than waiting for an incoming connection, actively connects back to a machine. As firewalls are typically much more permissive of outbound connections, reverse shells have become dominant.
A bind or reverse shell can be written in pretty much any language. If coded in a language that can be executed by a web-server (e.g. ASP, ASP.NET, PHP, etc.) and providing that an attacker can write to a suitable location, the shell will be spawned and access granted. By recursively searching the file-system we can see that iStat has weak folder permissions. Everyone, including the ssods/Logitech Media Server account has the ability to read/write/execute (see Figure 1).

This folder is served by the application’s web server and will thus execute a suitably coded reverse-shell.
Vulnerability 2 – Web Server Runs With Administrative Permissions
iStat is hosted on an Apache instance. It runs under an account called httpdusr, which is a member of the Administrators group. Thus when a reverse-shell is executed, it grants the attacker administrative access to the device (see Figure 2).

Summary
iStat 0.5.7 hosted on the QNAP App Center suffers from several security issues. They do not grant remote unauthenticated access. However, once an attacker gains limited access they can be leveraged to obtain administrative privileges. The sixteen thousand customers who have downloaded it should uninstall it immediately.
In conclusion, this two-part blog illustrates a pattern we see in many contemporary attacks. Multiple vulnerabilities, mistakes, and weaknesses chained together to achieve full exploitation (see Figure 3). If any one of them is missing an attacker fails to get administrative access. If the chain can be formed its game over and the attacker wins.

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.
Timeline

Logitech Media Center Shellshock vulnerability discovery on 08/02/2015
QNAP informed via website on 11/02/2015
SSOTS/SSODS author contacted 12/02/2015. No response to date
Reported to cert.org on 12/02/2015
Confirmed against latest firmware and ARM plus x86 devices on 16/02/2015
Local privilege elevation discovery on 22/02/2015
QNAP contacted via facebook.com on 05/03/2015
Proof of concept completed on 06/03/2015
Contacted by QNAP Security. Research forwarded and disclosure date agreed on 07/03/2015
Vulnerability disclosed on 06/04/2015

References