In 2019, I discovered multiple vulnerabilities in QNAP PhotoStation and CGI programs. These vulnerabilities can be chained into a pre-auth root RCE. All QNAP NAS models are vulnerable, and there are ~312K vulnerable QNAS NAS instances on the Internet (statistical prediction). These vulnerabilities have been responsibly reported, fixed and assigned CVE-2019–7192 (CVSS 9.8), CVE-2019–7193 (CVSS 9.8), CVE-2019–7194 (CVSS 9.8), CVE-2019–7195 (CVSS 9.8). This article is the first public disclosure, but only 3 of the vulnerabilities are disclosed, because they’re enough to achieve pre-auth root RCE.
The following Shodan search reveals 564K QNAP instances on the Internet. Among those, 590 of 1065 randomly chosen instances have Photo Station enabled. (checked via
GET /photo/slideshow.php and see if it responds with
Invalid album selection) Therefore, statistically speaking, with 95% confidence level, confidence interval 3, there should be ~312K instances having Photo Station enabled, and they were all vulnerable at the time (2019).
Affected Photo Station Versions
All downloadable versions before the fixed ones (6.0.3, 5.2.11, 5.4.9) were affected.
Visit QNAP’s Security Advisory for details like version info.
This article has been greatly redacted as requested by QNAP PSIRT to give more users extended lead time to get patched. Together we build a safer world.
Now, let’s look at the 3 vulnerabilities that will later be chained to make a pre-auth root RCE.
Vulnerability 1: Pre-Auth Local File Disclosure (Effectively a Login Bypass)
Upgrading the Pre-Auth Local File Disclosure to Privilege Escalation (Login Bypass)
We can use this pre-auth local file disclosure to read a magic file that contains a login token, which we can use to authenticate as a valid builtin user
Magic file [redacted]:
- the file content won’t change after factory reset
- the file is generated when
[redacted]succeeds for the first time
- PhotoStation caches a plaintext version of
Therefore, we can use vulnerability 1 to read the cached plaintext token to bypass the login and authenticate as
[Redacted: picture of authentication bypass]
With this trick, vulnerability 1 is actually an authentication bypass.
Vulnerability 2: Authenticated Session Tampering — Writing PHP Code to Session
Being authenticated as
appuser gives us access to the SMTP setting, which has an improper filtering in the email string. An authenticated attacker can [redacted], and this can be chained in the next vulnerability, or other file inclusion vulnerabilities (e.g.
POC: Authenticated Session Tampering
[Redacted picture of session tampering]
Vulnerability 3: (Pre-Auth) Writing Session to Arbitrary Location
This section is redacted due to the request of QNAP PSIRT.
This vulnerability enables an unauthenticated attacker to write session contents (
[redacted]) to arbitrary location on the server.
POC: Writing Session to Arbitrary Location
Chaining for Pre-Auth Root RCE
- Use vulnerability 1 to bypass authentication and authenticate as
- Use vulnerability 2 to put [redacted] code (via SMTP email) in [redacted] session (
- Use vulnerability 3 to write the polluted [redacted] session to Photo Station’s web directory to make a webshell
- 2019/06/14: reported technical details to QNAP
- 2019/12/16: vendor fixed all 4 vulnerabilities, offered to provide a bounty (the amount is concealed due to the bounty terms)
- 2019/12/31: got bounty
- 2020/05/19: public disclosure
- 2020/06/09: details of vulnerability 1 is redacted due to vendor’s request
- 2020/06/10: details of vulnerability 2 & 2 are redacted due to vendor’s request
- 2020/06/19: more redaction due to vendor’s request
3 vulnerabilities are chained to get this pre-auth root RCE in QNAP PhotoStation, and it works on all QNAP’s NAS models. Several tricks for exploiting QNAP products are also disclosed. Hopefully QNAP fixes these tricks some day, otherwise I’m pretty sure there will be more high-CVSS CVEs coming up.
- UPGRADE YOUR QNAP NAS NOW, if you haven’t already
- There is a way to decrypt
[redacted], but I’ll leave it as homework for you
- QNAP’s webserver runs as [redacted]
- [redacted] might give you some more 0days