CVE-TBA: Cleartext base64 format for transmission of credentials within cookies in QNAP TS-x09 Turbo NAS

On the 13th of July 2015 I discovered a clear text base64 transmission of credentials vulnerability within cookies in QNAP TS-x09 Network Attached Storage devices. Full disclosure was undertaken with the vendor and a CVE-ID has been requested from Mitre.

CVE-ID: requested

13th July 2015
Author: Mark Cross
Twitter: @xerubus


A plaintext storage in a cookie vulnerability exists in QNAP TS-109/209/409/409U Turbo NAS devices, including Standard, II, PRO, and PRO-II models running <= Version 3.3.3 Build 1003T. By default, the devices store the username and password credentials within the cookie using base64 encoding. This vulnerability has not been reported for the QNAP TS-x09 devices, however has previously been reported for similar devices by Sense of Security.

Disclosure Timeline

13 July 2015
– Emailed vendor full vulnerability details via PGP email.
– Requested CVE identifier from MITRE via PGP

21 July 2015
– Vendor advised they will not be releasing a new firmware.
– Advised vendor public disclosure date will be Friday 24th July 2015

24 July 2015
– Provided MITRE will full vulnerability details
– Advised MITRE that vendor will not be patching vulnerability
– Re-requested CVE-IDs be released
– Vulnerability published on
– Vulnerability publicly disclosed via Full Disclosure mailing list.



Tested versions

This vulnerability was tested on the following QNAP devices:

– TS-109 PRO and TS-109 II Version 3.3.0 Build 0924T
– TS-209 and TS-209 PRO II Version 3.3.3 Build 1003T
– TS-409 and TS-409U Version 3.3.2 Build 0918T


The QNAP NAS Management Software, embedded as firmware, is accessible via a web-based interface on all Turbo NAS devices. A vulnerability exists in the method the devices store the username and password credentials using base64 encoding. This attack is amplified by a reflected XSS vulnerability (CVE-ID-requested) and the lack of the HttpOnly flag utilisation.

An attacker may exploit the vulnerability to obtain authentication credentials via sniffing and intercepting network traffic.

Proof-of-concept (PoC)

The following proof-of-concept (PoC) demonstrates the vulnerability:



Cookie value

The nas_p contents in this cookie contains both the username of ‘admin’ and the password of ‘admin’ in a single string. Should the user tick the “Remember username” checkbox, other variables will be exposed in the cookie. nas_u contains the base64 encoded username, and nas_a contains the username base64 encoded twice.

Decrypted value showing username and password

Amplification by a reflected XSS vulnerability

Example amplification of exploit when combined with my previously reported reflected XSS vulnerability.



Vulnerability solution

QNAP have advised that they will not release a new firmware to address the vulnerabilities.