Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.
QNAP Photo Station is a photo album application that is present on the majority (roughly 80%) of QNAP NAS systems, allowing users to easily organize photos and videos on those devices, as well as to share them with others over the Internet.
Last year, CyCarrier CSIRT security researcher Henry Huang identified four critical vulnerabilities in QNAP software, three of which can be chained together to execute code remotely on the impacted systems, with root privileges.
The three bugs in Photo Station are tracked as CVE-2019–7192, CVE-2019–7194, and CVE-2019–7195, while the fourth impacts the QTS NAS operating system and is tracked as CVE-2019–7193. Each of the four vulnerabilities carries a CVSS score of 9.8.
All QNAP NAS devices with Photo Station on them would be impacted by these issues, thus being exposed to attacks, Huang explains. At the time of discovery, there were an estimated 450,000 vulnerable QNAP NAS systems connected to the Internet, the researcher says.
The first of the vulnerabilities could allow attackers to read files on the server without authentication. The attacker could abuse this bug to read a file containing a login token, which can then be leveraged to authenticate as a valid user named appuser.
Next, the attacker can proceed to exploit the second vulnerability, which allows them to inject arbitrary PHP code into the session.
The third vulnerability, the researcher explains, allows the attacker to write session contents to the server, without authentication.
Thus, an attacker could chain the three security flaws to authenticate as appuser, inject code into the PHP session, and write the modified session to Photo Station’s web directory to make a webshell.
The web server runs as root and the first bug provides access to the text file storing encrypted passwords and other password-related information, readable only by the root user, the researcher explains.
The security researcher decided not to disclose details about the fourth vulnerability he found, arguing that the other three flaws are enough for hacking a NAS device.
QNAP issued patches for these vulnerabilities in November last year, confirming that multiple versions of QTS and Photo Station are impacted.
All QNAP NAS devices running Photo Station that do not run the latest versions of QTS and Photo Station are exposed to attacks looking to exploit these vulnerabilities.