High
CVE-2020-2509
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-2509
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityHigh
Technical Analysis
Not sure this is the vuln (and I can’t test it), but it stood out to me because the exec_mount()
function no longer calls popen(3)
… or much of anything else:
int32_t exec_mount(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6) { - int32_t str3; - memset(&str3, 0, (int32_t)&g2); - int32_t str4; - memset(&str4, 0, (int32_t)&g1); - sprintf((char *)&str3, "mount.cifs -o \"username=%s,password=\"%s\",soft,iocharset=utf8,%s%s\" %s %s 2>&1", (char *)a3, (char *)a4, (char *)a5, (char *)a6, (char *)a1, (char *)a2); - struct _IO_FILE * stream = popen((char *)&str3, "r"); - char * str = fgets((char *)&str4, (int32_t)&g265, stream); - int32_t result = 0; - if (str != NULL) { - while (strstr((char *)&str4, (char *)((int32_t)&g177 + 0x109d4)) == NULL) { - char * str2 = fgets((char *)&str4, (int32_t)&g265, stream); - result = -1; - if (str2 == NULL) { - goto lab_0x10a14; - } - } - char * found_char_pos = strchr((char *)&str4, 40); - result = -13; - if (found_char_pos != NULL) { - char * str5 = (char *)((int32_t)found_char_pos + 1); - *strchr(str5, 41) = 0; - sscanf(str5, "%d"); - result = -1; - } - } - lab_0x10a14: - if (stream != NULL) { - pclose(stream); - } - return result; + int32_t str; + memset(&str, 0, (int32_t)&g2); + sprintf((char *)&str, "mount.cifs -o \"username=%s,password=\"%s\",soft,iocharset=utf8,%s%s\" %s %s 2>&1", (char *)a3, (char *)a4, (char *)a5, (char *)a6, (char *)a1, (char *)a2); + return 0; }
The CIFS_Mount_Speed()
function no longer calls system(3)
either:
int32_t CIFS_Mount_Speed(int32_t a1, int32_t a2, int32_t a3, int32_t a4) { int32_t str; memset(&str, 0, (int32_t)&g1); int32_t str2; - memset(&str2, 0, (int32_t)&g83); + memset(&str2, 0, (int32_t)&g82); int32_t v1 = 0; int32_t v2; - memset(&v2, 0, (int32_t)&g80); + memset(&v2, 0, (int32_t)&g79); int32_t v3; memset(&v3, 0, 128); int32_t v4; function_3a18((int32_t)((char)v4 == 47) + a2, &v1); int32_t v5; function_3a18(a3, &v5); function_3a18(a4, &v3); char * v6 = (char *)a1; sprintf((char *)&str, "//%s/%s", v6, &v1); sprintf((char *)&str2, "%s/%s/%s/%s", "/mnt/RTRR_CIFS", v6, &v3, &v1); int32_t str3; sprintf((char *)&str3, "mkdir -p %s", &str2); - system((char *)&str3); int32_t v7; - memcpy(&v7, (int32_t *)((int32_t)&g169 + 0x10bb0), (int32_t)&g90); + memcpy(&v7, (int32_t *)((int32_t)&g158 + 0x10a7c), (int32_t)&g89); int32_t v8; - memcpy(&v8, (int32_t *)((int32_t)&g169 + 0x10df0), 128); + memcpy(&v8, (int32_t *)((int32_t)&g158 + 0x10cbc), 128); int32_t v9 = &v7; int32_t v10 = function_3e20(&str, &str2, a4, &v5, v9, &v8); int32_t result = 0; while (v10 != 0) { int32_t v11; int32_t v12 = function_3e20(&str, &str2, a4, &v5, v9, &v11); result = 0; if (v12 == 0) { break; } v9 += 64; if (v9 == (int32_t)&v5) { result = -v12; return result; } v10 = function_3e20(&str, &str2, a4, &v5, v9, &v8); result = 0; } - lab_0x10c7c: + lab_0x10b6c: return result; }
function_3e20()
above is actually exec_mount()
. Sorry about that.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- qnap
Products
- qts,
- qts 4.2.6,
- qts 4.3.3.0174,
- qts 4.3.3.0868,
- qts 4.3.3.0998,
- qts 4.3.3.1051,
- qts 4.3.3.1098,
- qts 4.3.3.1161,
- qts 4.3.3.1252,
- qts 4.3.3.1315,
- qts 4.3.3.1386,
- qts 4.3.3.1432,
- qts 4.3.4.0358,
- qts 4.3.4.0370,
- qts 4.3.4.0372,
- qts 4.3.4.0374,
- qts 4.3.4.0387,
- qts 4.3.4.0411,
- qts 4.3.4.0416,
- qts 4.3.4.0427,
- qts 4.3.4.0434,
- qts 4.3.4.0435,
- qts 4.3.4.0451,
- qts 4.3.4.0483,
- qts 4.3.4.0486,
- qts 4.3.4.0506,
- qts 4.3.4.0516,
- qts 4.3.4.0526,
- qts 4.3.4.0551,
- qts 4.3.4.0557,
- qts 4.3.4.0561,
- qts 4.3.4.0569,
- qts 4.3.4.0593,
- qts 4.3.4.0597,
- qts 4.3.4.0604,
- qts 4.3.4.0899,
- qts 4.3.4.1029,
- qts 4.3.4.1082,
- qts 4.3.4.1190,
- qts 4.3.4.1282,
- qts 4.3.4.1368,
- qts 4.3.4.1417,
- qts 4.3.4.1463,
- qts 4.3.6,
- qts 4.3.6.0895,
- qts 4.3.6.0907,
- qts 4.3.6.0923,
- qts 4.3.6.0944,
- qts 4.3.6.0959,
- qts 4.3.6.0979,
- qts 4.3.6.0993,
- qts 4.3.6.1013,
- qts 4.3.6.1033,
- qts 4.3.6.1070,
- qts 4.3.6.1154,
- qts 4.3.6.1218,
- qts 4.3.6.1263,
- qts 4.3.6.1286,
- qts 4.3.6.1333,
- qts 4.3.6.1411,
- qts 4.3.6.1446,
- qts 4.5.1,
- qts 4.5.1.1456,
- qts 4.5.1.1461,
- qts 4.5.1.1465,
- qts 4.5.1.1480,
- qts 4.5.2,
- quts hero,
- quts hero h4.5.1,
- quts hero h4.5.1.1472
Exploited in the Wild
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: Most Commonly Exploited Vulns 2021 (https://us-cert.cisa.gov/ncas/alerts/aa22-117a)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: