QNAP Signage Station: Publish and Be Damned (Part 2)

tl;dr
Nettitude has discovered that the iArtist application is vulnerable to CWE-290 Authentication Bypass by Spoofing. This flaw can be leveraged to remove the need to supply valid credentials when uploading a presentation.
Additionally, the Signage Station system suffers from CWE-768 Use of Hard-coded Credentials. This grants access to the host NAS FTP service and can also be used to upgrade CVE-2015-6022 to an unauthenticated exploit.
Introduction
In a previous blog post it was shown that a low privilege Signage Station user could remotely upload a web-shell and thus significantly elevate their access to the host NAS system. However, the outlined steps still required a valid username and password, somewhat diminishing the impact.
Arguably remote unauthenticated vulnerabilities pose the greatest risk to the security of a system. Typically an attacker will only need connectivity in order to bypass any perimeter security mechanisms and gain access to the system. With this in mind, I began to examine the system to identify a means of circumventing the authentication process.
Vulnerability 1 – Authentication Bypass by Spoofing
Although the uploading of presentations takes place over File Transfer Protocol (FTP), user authentication occurs over HTTP. The iArtist client makes a GET request to http://<ip_address>/signagestation/requestid.php, passing the username and password via URL parameters. In response, the Signage Station server returns either negative 1 when authentication has failed or a positive integer when authentication has succeeded.

Figure 1- User authentication over HTTP

By intercepting a failed response and changing the value to 1, it is possible to initiate and successfully complete an iArtist presentation upload without valid credentials.

Figure 2 – Spoofing iArtist authentication response

This mechanism does not authenticate the FTP upload, rather it controls whether the iArtist application will initiate and complete one.
Vulnerability 2 – Use of Hard-Coded Credentials
The authentication of the FTP process takes place with hardcoded credentials. The iArtist application and Signage Station App both ship with these credentials and as such, grant a suitably informed adversary the ability to:

Access the system FTP server on the host NAS device
Upload a presentation, malicious or otherwise

These credentials can be observed on the wire when iArtist uploads a presentation.

Figure 3 – Hard-coded credentials on the wire

They can also be extracted from iArtist via reverse-engineering.

Figure 4 – Hard-coded credentials in iArtist application

An account with these credentials can also be seen on the host NAS. By hashing the password we can see it matches the SignageUser password hash, an account created when the Signage Station App was installed.

Figure 5 – Hard coded credentials present on the server

Finally, we can use the credential with any FTP client to access the NAS FTP server.

Figure 6 – Hard coded credentials used with other FTP client

Summary
Signage Station (2.0.0.3) hosted on the QNAP App Center is vulnerable to CWE-290 Authentication Bypass by Spoofing and CWE-768 Use of Hard-coded Credentials. These each independently grant a remote unauthenticated user the opportunity to upload a presentation to the Signage Station App. They can therefore be used in conjunction with CVE-2015-6022 to gain remote unauthenticated access, as a member of the Administrator’s group, to the host NAS device. System users should contact the vendor for a fix.
In the third and final part of this series we will see how the iArtist application introduces a significant vulnerability on to the host Windows system.
The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.
Timeline