From April 21, 2020, 360Netlab Anglerfish honeypot started to see a new QNAP NAS vulnerability being used to launch attack against QNAP NAS equipment. We noticed that this vulnerability has not been announced on the Internet, and the attacker is cautious in the process of exploiting it.
Vulnerability type: Unauthorized remote command execution vulnerability
When we enter the sample into the 360 FirmwareTotal system, we found that this vulnerability appeared in the CGI program
/httpd/cgi-bin/authLogout.cgi. This CGI is used when user logout, and it select the corresponding logout function based on the field name in the Cookie. The problem is
QMMS_SID does not filter special characters and directly calls the
snprintf function to splice
curl command string and calls the
system function to run the string, thus making command injection possible.
Vulnerability fix: We contacted the vendor and shared the PoC on May/13, and on Aug 12, QNAP PSIRT replied and indicated the vulnerability had been fixed in previous update but there still are devices on the network that have not been patched. We looked into the vendors’ firmwares and discovered that on July 21, 2017, QNAP released firmware version 4.3.3 and this version included the fix for this vulnerability. This release replaced the
system function with
qnap_exec, and the
qnap_exec function is defined in the
/usr/lib/libuLinux_Util.so.0. By using the
execv to execute custom command, command injection has been avoided.
Attacker behavior analysis
We captured two attackers IP
126.96.36.199, both use the same Payload, after successful exploits, the device will wget
So far the attacker has not implanted bot programs like regular Botnets, and the entire attack process does not seem to be fully automated. we still do not know the true purpose of the attacker yet.
188.8.131.52:8096, we found two other text
.sl file contains 2 lines.
rv, this file is a bash reverse shell script, the control address is
184.108.40.206, and the port is
When we fingerprint this host, we see that
220.127.116.11 has SSH, Metasploit, Apache httpd and other services running.
Discovered open port 9393/tcp on 18.104.22.168 //SSH
Discovered open port 5678/tcp on 22.214.171.124 //Unknown
Discovered open port 3790/tcp on 126.96.36.199 //Metasploit
Discovered open port 80/tcp on 188.8.131.52 //Apache httpd
On May 13, 2020, we emailed the QNAP vendor and reported the details of the vulnerability and shared the PoC.
On August 12, 2020, QNAP PSIRT replied that the vulnerability had been fixed in early updates, but such attacks still exist in the network.
List of known affected firmware
We recommend that QNAP NAS users check and update their firmwares in a timely manner and also check for abnormal processes and network connections.
We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.
Readers are always welcomed to reach us on twitter, or emial to netlab at 360 dot cn.
184.108.40.206 Taiwan ASN18182 Sony Network Taiwan Limited
220.127.116.11 United States ASN33438 Highwinds Network Group, Inc.
18.104.22.168 Canada ASN14061 DigitalOcean, LLC