QNAP Turbo NAS Multiple multiple vulnerabilities

Path Injection.

Posted by Andrea Fabrizi on December 18, 2011

QNAP Systems, Inc. is the “Quality Network Appliance Provider” and we pledged to become the world’s leading Network Attached Storage (NAS) and Network Video Recorder (NVR) solution provider.

This vulnerability has been discovered on QNAP TS-1279U-RP version 3.7.3 build 20120801, but probably other products that use the same firmware may be affected.

The CGI /cgi-bin/filemanager/utilRequest.cgi is prone to a path injection, which allows, for authenticated users, to access, delete or modify any file, included system files, configuration files and files owned by other users.

Due to the single user configuration of the embedded linux system, it’s possible to access any system file without restrictions (included /etc/shadow, which contains the hash of the administrator password).

Vulnerable urls and parameters are (the list is not exhaustive):

/cgi-bin/filemanager/utilRequest.cgi [source_file]
/cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name]
/cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name]


POST /cgi-bin/filemanager/utilRequest.cgi/test.txt HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 123


BID: http://www.securityfocus.com/bid/55389/info