Attackers use a three-year-old RCE bug to install backdoors in Qnap NAS

RCE bug in Qnap NAS
Written by Emma Davis

Researchers from the Chinese company Qihoo 360 warn that attackers are still exploiting the RCE-bug in the firmware of Qnap NAS devices, which was fixed back in 2017.

The vulnerability allows unauthenticated attackers to authenticate using the authLogout.cgi executable file.

From April 21, 2020, 360Netlab Anglerfish honeypot started to see a new QNAP NAS vulnerability being used to launch attack against QNAP NAS equipment. We noticed that this vulnerability has not been announced on the Internet, and the attacker is cautious in the process of exploiting it”, — write Qihoo 360 researchers.

This vulnerability appeared in the CGI program /httpd/cgi-bin/authLogout.cgi. This CGI is used when the user logs out and selects the appropriate logout function based on the field name in the cookie. The root of the problem is in the insufficient cleaning of the input data (special characters are not filtered).

The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible”, — Qihoo 360 specialists said.

Back in May of this year, researchers contacted the Qnap developers to inform them of the problem they had found, and on August 12 (three months later) they were finally told that the company had fixed this vulnerability a long time ago, and it is just that you can still find devices on the network. which have not been patched.

As it turned out, Qnap engineers fixed this vulnerability in firmware version 4.3.3, released on July 21, 2017.
According to Qihoo 360 analysis, the attackers behind these attacks did not fully automate the hacking process, and some parts of it are done manually.

However, the researchers were never able to establish the ultimate goal of the hackers. It is only known that attackers deploy two payloads to infected devices, one of which is a reverse shell (TCP/1234 port).

Researchers remind owners of Qnap devices to install updates on time. The company’s blog could find a list of vulnerable firmware, as well as indicators of compromise, including the IP addresses of the scanner and the downloader of the attackers.

Let me also remind you that we recently talked about QSnatch malware that infects thousands of QNAP NAS devices.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply