-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


1. Log in to the QNAP. The user needs sufficient permissions to create
ZIP files.
2. Right-click on a file or directory and select "compress(ZIP)"
3. In the newly opened window, enter a name containing HTML codes like
blabla<img src=foo onError=alert(1)>
and press OK
4. The code is being executed directly after creating the ZIP.
5. Right-click on the ZIP-file and hover over 'Extract".
Again, the code is being executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Vulnerability report updated to fix error in "hover over" 
description.
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
    http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-050
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/
    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV//
Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M
Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM
49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT
VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G
zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM=
=xxMF
-----END PGP SIGNATURE-----