During a red team exercise for a global logistics provider, Cyber Citadel security researchers Rafay Baloch, Hammad Shamsi and Muhammad Samak found a directory traversal vulnerability affecting QNAP devices running QTS.
The vulnerability was reported to QNAP through responsible disclosure, following a 60-day timeframe to allow the vendor to develop and release a patch before public disclosure.
A directory traversal vulnerability, also known as path traversal, allows an attacker to access restricted directories and files, and in some cases execute commands, outside of the web server's root directory. By manipulating variables that reference files with dot-dot-slash (../) sequences or similar constructs, an attacker can traverse the file system and reach areas that should be inaccessible.
In the case of the QNAP vulnerability, the "f" parameter in the affected application allowed an attacker to retrieve files remotely from the device by manipulating the file path. This meant that sensitive system files could be accessed without proper authorisation.
Vendor Response
QNAP publicly disclosed the vulnerability on May 6, 2022. The same vulnerability was also independently discovered by researchers at Thomson Reuters during a separate investigation. QNAP credited all parties who reported the issue in their security advisory, acknowledging both the Cyber Citadel team and the Thomson Reuters researchers.
Impact Assessment
While QNAP rated the vulnerability as medium severity, Cyber Citadel considers the real-world impact to be critical. The ability to traverse directories on a network-attached storage device opens up a range of dangerous attack possibilities:
- Username Enumeration: Retrieving the
/etc/passwdfile allows an attacker to enumerate all user accounts on the device, providing valuable information for further attacks. - Apache Log Access: Accessing Apache log files can reveal sensitive information about server activity, user sessions and internal network architecture.
- Remote Command Execution: When combined with other attack vectors, directory traversal can potentially be chained to achieve remote command execution, giving an attacker full control over the device.
QNAP devices are widely deployed in both enterprise and home environments. A directory traversal vulnerability on these devices can serve as a foothold for lateral movement across an entire network.
Recommendations
To protect against directory traversal vulnerabilities, developers and system administrators should implement the following measures:
- Input Validation: Do not permit direct file path appending from user-controlled input. All file path parameters should be validated and sanitised before use.
- Character Restriction: Accept only required characters in file path parameters. Reject any input containing path traversal sequences such as
../or encoded equivalents. - Directory Restriction: Limit API file inclusion to allow access only from specific, pre-defined directories. Any request for files outside these directories should be rejected.