Researchers at cybersecurity firm Shielder discovered a remote code execution on QNAP Q’center through a manipulated QPKG installation package.
Researchers at cybersecurity firm Shielder discovered a remote code execution flaw on QNAP Q’center through a manipulated QPKG installation package. The vulnerability was discovered by the cyber security expert`zi0Black` from Shielder
Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.
QNAP Q’center allows to upload and install QPKG packages.
Experts noticed that opening a QPKG file with a hex editor it is possible to analyze the structure which is composed of an initial script that ends with
exit 10 followed by a tar.gz archive.
“As the initial script seems to rule the archive extraction it is legitimate to think that it is extracted from the QPKG file and executed to extract what follows.” reads the post published by Shielder.
The QNAP Q’center is available as a WMware appliance and according to the researchers, it is possible to extract the Python code directly from its disk. The experts shared a python code that they extracted from the disk that is used to check a QKPG when it is uploaded to the Q’center.
The QPKG file could be interpreted as a shell script and its content could be executed on the vulnerable instance.
“The function extracts the update file (a tar.gz containing the QPKG one) at  and , then it executes the system command
/bin/sh /path/to/QPKG_file.” continues the post. “As stated before the QPKG file could be interpreted as a shell script, so its content is executed on the Q’center instance, allowing to execute arbitrary commands on it.”
The researchers announced they will release the PoC exploit code on their repo, it could allow attackers to execute arbitrary command on the Q’center instance.
A privilege attacker could obtain command execution on a Q’center instance.
The flaw impacts the QNAP Q’center Virtual Appliance version 1.12.1014. Shielder reported the flaw to QNAP which promptly addresses the issue. Below the timeline for this vulnerability:
- 23/01/2021: Vulnerability report is sent to QNAP
- 10/03/2021: QNAP acknowledges issue
- 11/03/2021: Shielder and QNAP agree on the impact of the vulnerability
- 03/06/2021: Shielder’s advisory is made public
(SecurityAffairs – hacking, QNAP Q’center)