CVE-TBA: Reflected Cross-Site Scripting (XSS) in QNAP TS-x09 Turbo NAS

On the 7th of July 2015 I discovered a reflected cross-site scripting (XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices. Full disclosure was undertaken with the vendor and a CVE-ID has been requested from Mitre.

CVE-ID: requested

7th July 2015
Author: Mark Cross
Twitter: @xerubus
WWW: www.mogozobo.com

Summary

A reflected Cross-Site scripting vulnerability was found in QNAP TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO and PRO-II models running <= Version 3.3.3 Build 1003T. A vulnerability in the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi allows a remote unauthenticated attacker to inject arbitrary JavaScript which is executed server-side by escaping from the quotation marks.

Disclosure Timeline

07 July 2015
– Requested PGP from vendor via website for secure communications.
– Requested CVE identifier from MITRE via PGP.

08 July 2015
– Received email from vendor with security contact and PGP key.
– Received email from Mitre requesting further information.
– Emailed vendor full vulnerability details via PGP email
– Emailed further details to Mitre as requested.

10 July 2015
– Emailed security contact for confirmation of receipt of previous email

13 July 2015
– Requested acceptance and mutually agreeable disclosure period

21 July 2015
– Vendor advised they will not be releasing a new firmware.
– Advised vendor public disclosure date will be Friday 24th July 2015

24 July 2015
– Provided MITRE will full vulnerability details
– Advised MITRE that vendor will not be patching vulnerability
– Re-requested CVE-IDs be released
– Vulnerability published on mogozobo.com
– Vulnerability publicly disclosed via Full Disclosure mailing list.

07 August 2015
– Emailed Mitre requested an update on CVE-ID request

Status

Published

Tested versions

This vulnerability was tested on the following QNAP devices:

– TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T
– TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T
– TS-409 and TS-409U Version 3.3.2 Build 0918T

Details

The QNAP NAS Management Software, embedded as firmware, is accessible via a web-based interface on all Turbo NAS devices. A vulnerability in the sid variables in cgi-bin/user_index.cgi and cgi-bin/index.cgi allows a remote unauthenticated attacker to inject arbitrary JavaScript which is executed server-side by escaping from the quotation marks.

An attacker may exploit the reflected XSS vulnerability to cause a victim to execute the malicious JavaScript code within the user’s browser. The malicious code can perform, but is not limited to, stealing a victim’s session token or login credentials, log the victim’s keystrokes, or perform arbitrary actions on the victim’s behalf.

Vulnerable URLs:

http://target:8080/cgi-bin/user_index.cgi
http://target:8080/cgi-bin/index.cgi

XSS Proof-of-concept (POC)

The following proof-of-concept (POC) demonstrates the injection:

http://target:8080/cgi-bin/user_index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f
http://target:8080/cgi-bin/index.cgi?sid=%22%3balert%28%22XSS%22%29%2f%2f

xss_url

xss

Curl example

Example exploit with cleartext transmission of credentials cookie vulnerability

Example exploit showing cleartext base64 encoded credentials within cookies.

url_xss_cookie

xss_reflected_cookie

Vulnerability solution

QNAP have advised that they will not release a new firmware to address the vulnerabilities.