Public RCE Exploit Revealed for Unpatched QNAP QTS Zero-Day

May 20, 2024

A thorough security inspection of QNAP QTS, the operating system for QNAP's NAS devices, has revealed fifteen different vulnerabilities, eleven of which are still unresolved. Among these vulnerabilities is CVE-2024-27130, a yet-to-be-patched stack buffer overflow vulnerability in the 'No_Support_ACL' function of 'share.cgi,' which could potentially allow a hacker to perform remote code execution under certain conditions.

The vulnerabilities were reported to the vendor between December 12, 2023, and January 23, 2024. However, the vendor's response was delayed, and only four of the fifteen identified flaws have been fixed so far. WatchTowr Labs, who discovered the vulnerabilities, made public the full details of their findings and a proof of concept (PoC) exploit for CVE-2024-27130 on Friday.

The vulnerabilities identified by WatchTowr analysts mainly pertain to code execution, buffer overflows, memory corruption, authentication bypass, and XSS issues. These vulnerabilities pose a significant threat to the security of NAS devices across various deployment environments. The analysts at WatchTowr identified a total of fifteen flaws.

These bugs affect QTS, the operating system for QNAP's NAS devices, QuTScloud, a virtual machine-optimized version of QTS, and QTS hero, a high-performance specialized version. QNAP has addressed CVE-2023-50361 through CVE-2023-50364 in a security update released in April 2024. However, all other vulnerabilities identified by WatchTowr remain unaddressed.

The vulnerability CVE-2024-27130 in QNAP arises due to the unsafe usage of the 'strcpy' function in the No_Support_ACL function. This function is used by the get_file_size request in the share.cgi script, which is used when sharing media with external users. A hacker can craft a malicious request with a specially designed 'name' parameter, causing the buffer overflow and leading to remote code execution.

To exploit CVE-2024-27130, the hacker requires a valid 'ssid' parameter, generated when a NAS user shares a file from their QNAP device. This parameter is included in the URL of the 'share' link created on a device, so a hacker would need to employ social engineering to gain access to it. However, it was found that users sometimes share these links online, allowing them to be indexed and easily found via a Google search. Although CVE-2024-27130 is not easy to exploit, the SSID prerequisite can be met by determined actors.

WatchTowr has published an exploit on GitHub, demonstrating how to craft a payload that creates a 'watchtowr' account on a QNAP device and grants them elevated privileges. QNAP has been contacted for a statement about the disclosed flaws, but no comment was available at the time of reporting.

Latest News

• Microsoft Yet to Address Seven Zero-Days Vulnerabilities Uncovered in Pwn2Own 2024
• CISA Includes Chrome Zero-Days in its Known Exploited Vulnerabilities Catalog
• Asian Cyber Threats Evolve: New Strategies Target Familiar Sectors
• GE Ultrasound Devices Vulnerable to Ransomware and Data Theft
• Google Responds to Third Chrome Zero-Day Exploit in a Week