Main Vulnerability Database SB2017010302

SB2017010302 - Remote buffer overflow in QNAP storage devices web interface

Published: January 3, 2017 Updated: July 6, 2020

Security Bulletin ID SB2017010302

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Heap-based buffer overflow (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within QNAP web management interface when processing overly long string passed via "p" HTTP GET parameter to /cgi-bin/cgi.cgi binary. A remote attacker can send a specially crafted HTTP GET request, containing name of valid user account and overly long password, cause heap-based buffer overflow and execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Exploitation example:

echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<263;i++));do echo -en "A";done` HTTP/1.0\nHost: QNAP\n\n" | ncat --ssl 192.168.5.7 443

Remediation

Install update from vendor's website.

References

http://www.securityfocus.com/archive/1/539978