Posts

QNAP Android: Don’t Over Provide

The QNAP Android applications Qnotes 1.1.8.0128 and Qget 2.0.1.1029 suffer from unintended data leakage. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the back-end NAS device. Read more

‘QNAP Signage Station iArtist Lite’ SYSTEM for everyone (Part 3)

The QNAP iArtist Lite application is vulnerable to an uncontrolled search path element. This flaw can be leveraged by a low privileged user or malware to mount a binary file planting attack and obtain SYSTEM level access. Read more

QNAP Signage Station: Publish and Be Damned (Part 2)

tl;dr

Nettitude has discovered that the iArtist application is vulnerable to CWE-290 Authentication Bypass by Spoofing. This flaw can be leveraged to remove the need to supply valid credentials when uploading a presentation.

Additionally, the Signage Station system suffers from CWE-768 Use of Hard-coded Credentials. This grants access to the host NAS FTP service and can also be used to upgrade CVE-2015-6022 to an unauthenticated exploit.

Introduction

In a previous blog post it was shown that a low privilege Signage Station user could remotely upload a web-shell and thus significantly elevate their access to the host NAS system. However, the outlined steps still required a valid username and password, somewhat diminishing the impact.

Arguably remote unauthenticated vulnerabilities pose the greatest risk to the security of a system. Typically an attacker will only need connectivity in order to bypass any perimeter security mechanisms and gain access to the system. With this in mind, I began to examine the system to identify a means of circumventing the authentication process.

Vulnerability 1 – Authentication Bypass by Spoofing

Although the uploading of presentations takes place over File Transfer Protocol (FTP), user authentication occurs over HTTP. The iArtist client makes a GET request to http://<ip_address>/signagestation/requestid.php, passing the username and password via URL parameters. In response, the Signage Station server returns either negative 1 when authentication has failed or a positive integer when authentication has succeeded.

Figure 1- User authentication over HTTP

Figure 1- User authentication over HTTP

By intercepting a failed response and changing the value to 1, it is possible to initiate and successfully complete an iArtist presentation upload without valid credentials.

 

Figure 2 - Spoofing iArtist authentication response

Figure 2 – Spoofing iArtist authentication response

This mechanism does not authenticate the FTP upload, rather it controls whether the iArtist application will initiate and complete one.

Vulnerability 2 – Use of Hard-Coded Credentials

The authentication of the FTP process takes place with hardcoded credentials. The iArtist application and Signage Station App both ship with these credentials and as such, grant a suitably informed adversary the ability to:

  • Access the system FTP server on the host NAS device
  • Upload a presentation, malicious or otherwise

These credentials can be observed on the wire when iArtist uploads a presentation.

Figure 3 - Hard-coded credentials on the wire

Figure 3 – Hard-coded credentials on the wire

They can also be extracted from iArtist via reverse-engineering.

Figure 4 - Hard-coded credentials in iArtist application

Figure 4 – Hard-coded credentials in iArtist application

An account with these credentials can also be seen on the host NAS. By hashing the password we can see it matches the SignageUser password hash, an account created when the Signage Station App was installed.

Figure 5 - Hard coded credentials present on the server

Figure 5 – Hard coded credentials present on the server

Finally, we can use the credential with any FTP client to access the NAS FTP server.

Figure 6 - Hard coded credentials used with other FTP client

Figure 6 – Hard coded credentials used with other FTP client

Summary

Signage Station (2.0.0.3) hosted on the QNAP App Center is vulnerable to CWE-290 Authentication Bypass by Spoofing and CWE-768 Use of Hard-coded Credentials. These each independently grant a remote unauthenticated user the opportunity to upload a presentation to the Signage Station App. They can therefore be used in conjunction with CVE-2015-6022 to gain remote unauthenticated access, as a member of the Administrator’s group, to the host NAS device. System users should contact the vendor for a fix.

In the third and final part of this series we will see how the iArtist application introduces a significant vulnerability on to the host Windows system.

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.

Timeline

  • QNAP informed via email 19/10/2015
  • Reported to cert.org 19/10/2015
  • Authentication bypass by spoofing issue assigned CVE-2015-6036 21/10/2015
  • Use of hard-coded credentials issue assigned CVE-2015-7261 30/11/2015
  • Proof of concept completed 13/12/2015
  • Disclosure date extended 11/01/2016
  • Vulnerabilities disclosed 25/02/2016

References

 

To contact Nettitude’s editor, please email media@nettitude.com.

QNAP Signage Station: Publish and Be Damned (Part 1)

tl;dr

Nettitude researchers have discovered that QNAP Signage Station is vulnerable to CWE-434, Unrestricted Upload of File with Dangerous Type. This flaw can be leveraged by a low privileged remote user to gain interactive system access as a member of the Administrator’s group.

Introduction

Signage Station is a QNAP authored application that runs on a wide range of QNAP NAS storage appliances. It is designed to facilitate the cost-effective creation and hosting of bespoke presentations. It is aimed primarily at business users; it is offered as a free install via the QNAP App Center, and at the time of writing has been installed by approximately 55,000 users.

Figure 1 - QNAP Signage Station website.

Figure 1 – QNAP Signage Station website.

 

Normal Operation

The system consists of two parts; the iArtist application runs on a Windows PC and the Signage station Application is hosted on a QNAP storage appliance. The iArtist application is used to create the presentation and then upload it, over the File Transfer Protocol (FTP) to a QNAP storage appliance.

Figure - iArtist presentation authoring application

Figure 2 – iArtist presentation authoring application

The Signage Station App takes the presentation, processes it, and makes it available for display. In addition, it takes on a number of house-keeping and administrative tasks. It creates and manages user accounts that are used during the upload process. These accounts, other than admin, are designed to be used only in the Signage Station App and should not grant access to any other services or applications on the appliance. For iArtist to successfully upload a presentation, credentials for one of these accounts is required.

Figure 3 - NAS based Signage Station web interface

Figure 3 – NAS based Signage Station web interface

When creating Signage Station users of the administrator can allocate three permissions:

  • Upload Content: Users are allowed to upload content to App
  • Manage Viewer: Users can see the content management buttons
  • Delete Content: Users can remove presentations from the App
Figure 4 - Signage Station users and permissions

Figure 4 – Signage Station users and permissions

Vulnerability – Unrestricted Upload of File with Dangerous Type

In order for an attacker to exploit this class of vulnerability, multiple steps must be possible. Firstly, there must be a way to upload the attacker defined file. Next, the file must be of a type that the server will execute, and finally, at some stage it must be executed by the web-server. If all these conditions can be met, an attacker can gain interactive access at the same level of privilege as the web-server process.

The iArtist application creates presentations as a single file with all the data, text, and multimedia content encapsulated into a single .qss file. By opening this file in a hex-editor you can see that it is in fact a renamed ZIP archive. By temporarily changing the extension the content can be viewed and updated via the standard Windows tools, thus granting the opportunity to add malicious content.

Figure 5 - gss file magic numbers reveal it is a ZIP archive.

Figure 5 – gss file magic numbers reveal it is a ZIP archive.

A web-shell can be written in pretty much any language. For this vulnerability, a PHP based example is suitable and should be placed in the root of the archive.

Figure 6 - Web shell added to presentation archive.

Figure 6 – Web shell added to presentation archive.

Once the malicious presentation is constructed it can be uploaded by the standard iArtist functionality. Do not open, save or otherwise interact with it from within iArtist, as this may remove the additional malicious file.

Trigger the payload by navigating to  http://<ip_address>/signagestation/Data/<int>/<name>.php. Update the integer value appropriately, as this is incremented by one as a new presentation is uploaded and will be particular to your system. As the malicious PHP is accepted, presented, and executed by the system, we now have interactive access. This is with credentials that on paper should only allow the user to upload a presentation and not access any other NAS App/Service.

Figure 7 - Web shell returning server account.

Figure 7 – Web shell returning server account.

Commands are run as httpduser, who is a member of the Administrator’s group.

Figure 8 - httpduser is a member of the Administrators group.

Figure 8 – httpduser is a member of the Administrators group.

It is possible to perform highly privileged actions, such as accessing sensitive system files.

Figure 9 - Sensitive system file containing password hashes.

Figure 9 – Sensitive system file containing password hashes.

Summary

Signage Station (2.0.0.3) hosted on the QNAP App Center suffers from CWE-434, Unrestricted Upload of File with Dangerous Type. This grants a low privileged remote user the opportunity to gain interactive system access as a member of the Administrator’s group. System users should contact the vendor for a fix.

In part-two, we will continue the journey and see how to upload a presentation without a username or password, thus turning this exploit into a much more potent unauthenticated exploit.

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.

Timeline

  • QNAP informed via email 09/09/2015
  • Reported to cert.org 11/09/2015
  • Issue assigned CVE-2015-6022 28/09/2015
  • Disclosure date extended 11/01/2016
  • Proof of concept completed 13/12/2015
  • Vulnerability disclosed 25/02/2016

References

To contact Nettitude’s editor, please email media@nettitude.com.