![](/style/images/good.png)
![](/style/images/bad.png)
In the wild QNAP NAS attacks
source link: https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Author:Yanlong Ma, Genshen Ye, Ye Jin
From April 21, 2020, 360Netlab Anglerfish honeypot started to see a new QNAP NAS vulnerability being used to launch attack against QNAP NAS equipment. We noticed that this vulnerability has not been announced on the Internet, and the attacker is cautious in the process of exploiting it.
Vulnerability analysis
Vulnerability type: Unauthorized remote command execution vulnerability
When we enter the sample into the 360 FirmwareTotal system, we found that this vulnerability appeared in the CGI program /httpd/cgi-bin/authLogout.cgi
. This CGI is used when user logout, and it select the corresponding logout function based on the field name in the Cookie. The problem is QPS_SID
, QMS_SID
and QMMS_SID
does not filter special characters and directly calls the snprintf
function to splice curl
command string and calls the system
function to run the string, thus making command injection possible.
Vulnerability fix: We contacted the vendor and shared the PoC on May/13, and on Aug 12, QNAP PSIRT replied and indicated the vulnerability had been fixed in previous update but there still are devices on the network that have not been patched. We looked into the vendors’ firmwares and discovered that on July 21, 2017, QNAP released firmware version 4.3.3 and this version included the fix for this vulnerability. This release replaced the system
function with qnap_exec
, and the qnap_exec
function is defined in the /usr/lib/libuLinux_Util.so.0
. By using the execv
to execute custom command, command injection has been avoided.
Attacker behavior analysis
We captured two attackers IP 219.85.109.140
and 103.209.253.252
, both use the same Payload, after successful exploits, the device will wget http://165.227.39.105:8096/aaa
file.
So far the attacker has not implanted bot programs like regular Botnets, and the entire attack process does not seem to be fully automated. we still do not know the true purpose of the attacker yet.
On 165.227.39.105:8096
, we found two other text .sl
and rv
. The .sl
file contains 2 lines.
IvHVFqkpELqvuN@WK
IvHVFqkpJEqr|DNWLr
rv
, this file is a bash reverse shell script, the control address is 165.227.39.105
, and the port is TCP/1234
.
When we fingerprint this host, we see that 165.227.39.105
has SSH, Metasploit, Apache httpd and other services running.
Discovered open port 9393/tcp on 165.227.39.105 //SSH
Discovered open port 5678/tcp on 165.227.39.105 //Unknown
Discovered open port 3790/tcp on 165.227.39.105 //Metasploit
Discovered open port 80/tcp on 165.227.39.105 //Apache httpd
Timeline
On May 13, 2020, we emailed the QNAP vendor and reported the details of the vulnerability and shared the PoC.
On August 12, 2020, QNAP PSIRT replied that the vulnerability had been fixed in early updates, but such attacks still exist in the network.
List of known affected firmware
HS-210_20160304-4.2.0
HS-251_20160304-4.2.0
SS-439_20160304-4.2.0
SS-2479U_20160130-4.2.0
TS-119_20160304-4.2.0
TS-210_20160304-4.2.0
TS-219_20160304-4.2.0
TS-221_20160304-4.2.0
TS-239H_20160304-4.2.0
TS-239PROII_20160304-4.2.0
TS-239_20160304-4.2.0
TS-269_20160304-4.2.0
TS-410U_20160304-4.2.0
TS-410_20160304-4.2.0
TS-412U_20160304-4.2.0
TS-419P_20160304-4.2.0
TS-419U_20160304-4.2.0
TS-420U_20160304-4.2.0
TS-421U_20160304-4.2.0
TS-439PROII_20160119-4.2.0
TS-439PROII_20160304-4.2.0
TS-439_20160304-4.2.0
TS-459U_20160119-4.2.0
TS-459U_20160304-4.2.0
TS-459_20160304-4.2.0
TS-469U_20160304-4.2.0
TS-509_20160304-4.2.0
TS-559_20160304-4.2.0
TS-563_20160130-4.2.0
TS-659_20140927-4.1.1
TS-659_20160304-4.2.0
TS-669_20160304-4.2.0
TS-809_20160304-4.2.0
TS-859U_20160304-4.2.0
TS-869_20160304-4.2.0
TS-870U_20160119-4.2.0
TS-870U_20160304-4.2.0
TS-870_20160130-4.2.0
TS-879_20160130-4.2.0
TS-1079_20160119-4.2.0
TS-1269U_20160304-4.2.0
TS-1270U_20160304-4.2.0
TS-1679U_20160304-4.2.0
TS-X51U_20160304-4.2.0
TS-X51_20160304-4.2.0
TS-X53U_20160304-4.2.0
TS-X53U_20161028-4.2.2
TS-X53U_20161102-4.2.2
TS-X53U_20161214-4.2.2
TS-X53U_20170313-4.2.4
TS-X53_20160304-4.2.0
TS-X63U_20161102-4.2.2
TS-X63U_20170313-4.2.4
TS-X80U_20160304-4.2.0
TS-X80_20160130-4.2.0
TS-X80_20160304-4.2.0
TS-X80_20161102-4.2.2
TS-X82_20161208-4.2.2
TS-X82_20170313-4.2.4
TVS-X63_20160130-4.2.0
TVS-X63_20160304-4.2.0
TVS-X63_20160823-4.2.2
TVS-X63_20160901-4.2.2
TVS-X63_20161028-4.2.2
TVS-X63_20161102-4.2.2
TVS-X63_20170121-4.2.3
TVS-X63_20170213-4.2.3
TVS-X63_20170313-4.2.4
TVS-X71U_20161208-4.2.2
TVS-X71_20160130-4.2.0
TVS-X71_20160304-4.2.0
TVS-X71_20161214-4.2.2
TVS-X71_20170313-4.2.4
Suggestions
We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections.
We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.
Contact us
Readers are always welcomed to reach us on twitter, or emial to netlab at 360 dot cn.
Scanner IP
219.85.109.140 Taiwan ASN18182 Sony Network Taiwan Limited
103.209.253.252 United States ASN33438 Highwinds Network Group, Inc.
Downloader IP
165.227.39.105 Canada ASN14061 DigitalOcean, LLC
http://165.227.39.105:8096/.sl
http://165.227.39.105:8096/rv
http://165.227.39.105:8096/aaa
Recommend
-
9
31 August 2020 / QNAP QNAP NAS在野漏洞攻击事件 本文作者:
-
4
5 March 2021 / QNAP QNAP NAS在野漏洞攻击事件2 2021年3月2号,360网络安全研究院未知威胁检测系统...
-
11
How to Connect Your QNAP NAS to Backblaze B2 Cloud Storage January 7, 2021 by Skip Levens // 3...
-
8
NAKIVO Blog > NAKIVO Backup & Replication >
-
24
Qnap NAS折腾记(14)安装群晖DSM 大约去年的这个时候购买的Qnap NAS,在此之前我对NAS的作用其实并不是特别了解,购买的时候知道有威联通(Qnap)和群晖这两大品牌,最后为何购买了Qnap而不是使用人数更多的群晖呢,主要原因是在硬件差...
-
1
搭载全新一代处理器,QNAP AI NAS正式发布 搭载全新一代处理器,QNAP AI NAS正式发布
-
13
April 16, 2022包括 EAC3、tmdb 相关 TheMovieDB 连接问题 修改 /etc/hosts 即可。 108.138.246.125 api.themoviedb.org 108.157.4.33 api.themoviedb.org 65.9.82.98 api.themoviedb.org 108.138.246.125 ap...
-
5
QNAP users are in trouble as ech0raix attacks again...
-
3
别买 QNAP - 聊聊威联通 NAS 的坑(更新中) 2022-10-28 14:28:03 #评测 正值双十一,写篇文章劝退一下想购买 QNAP 的读者。笔者...
-
5
Christmas 2022: QNAP 2-bay 4-bay 6-bay diskless NAS nearly 50% off...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK