Recent ransomware attacks against QNAP devices had caused great mayhem among end-users. In our talk, we’ll share our insights gained from public information regarding the vulnerability used by QLocker, how we performed analysis in the QNAP NAS ecosystem. and how we ended up with another new RCE. We then did more analysis on QNAP's enterprise offering, QSAN, and found 30+ CVEs in the process, some of them allowing overtaking QSAN in a similar way as QNAP NAS. Throughout our presentation, not only we'll talk about getting shells on NAS and SAN, but we'll also share our insights on how the devices can be further secured, advice for vendors for building secure systems, and finally, advice for both enterprise and ordinary end-use rs to secure the device.

1. NAS as Not As Secure
Ta-Lun Yen TXOne Networks
Shirley Kuo ZUSO Generation

2. 2021-10-19
2
ZUSO Generation
The best defense is offense.
Background of our research
Ta-Lun Yen, TXOne Networks

3. 2021-10-19
3
ZUSO Generation
The best defense is offense.
Recent ransomware attack against (QNAP) NAS devices

4. 2021-10-19
4
ZUSO Generation
The best defense is offense.
Recent ransomware against NAS devices
● Why this should be treated seriously?
○ They are usually filled with precious data (backups, documents, etc)
● NAS are usually NOT closely guarded
● These systems are usually close to “interesting” segments...
● Foothold for other attacks

5. 2021-10-19
5
ZUSO Generation
The best defense is offense.
QLocker ransomware: what’s special about it?
● 0-days still being found in affected component
○ We found one just after QLocker patch
● It spreads quite fast
● It operates differently like others
○ Asks for a little ransom (0.01BTC, around $500)
● We haven’t looked into NAS before

6. 2021-10-19
6
ZUSO Generation
The best defense is offense.
“Vulnerability archaeology”
Ta-Lun Yen, TXOne Networks

7. 2021-10-19
7
ZUSO Generation
The best defense is offense.
Analysis: QNAP’s claim against QLocker
We know which
version
to do a diff with

8. 2021-10-19
8
ZUSO Generation
The best defense is offense.
Analysis: QNAP’s claim against QLocker
● QNAP’s Facebook page (Taiwanese Mandarin)
Q: Which app is exploited by QLocker? It’s said to be Multimedia Console, Media Streaming Add-on and
Hybrid Backup Sync, and it’s also said only Hybrid Backup Sync is exploited?
A: After investigation, we’re certain that only Hybrid Backup Sync is exploited (refer to QSA-21-13)
Q: Is it because there’s a backdoor inside QNAP NAS so it got exploited?
A: All QNAP NAS does not contain hard-coded backdoors. HBS is being exploited with vulnerabilities
within its code, and by gaining privileges illegally.

9. 2021-10-19
9
ZUSO Generation
The best defense is offense.
Dissecting QNAP update & application packages
● Extractor: github://max-boehm/qnap-utils
● No URL? Make one yourself
● <a screenshot of downloading older qnap versions>

10. 2021-10-19
10
ZUSO Generation
The best defense is offense.
What is fixed by QNAP
● Patch notes (16.0.0415)
● Diff between 16.0.0415 & 15.1.0225

11. 2021-10-19
11
ZUSO Generation
The best defense is offense.
What was fixed?
● This seems interesting…
● Why would they remove it all?

12. 2021-10-19
12
ZUSO Generation
The best defense is offense.
What was fixed?
● Malware Remover
○ We assume everyone using 7z is QLocker!
https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-t
o-encrypt-qnap-devices/

13. 2021-10-19
13
ZUSO Generation
The best defense is offense.
Mitigation against QLocker (Malware Remover)
● Without public disclosure/writeups, we know:
○ QLocker is using something related to what is removed
○ It uses 7z to do something nasty
● Yara rule -> found 2nd stage payload (r.py)
rule qlocker
{
strings:
$a = "hbs_mgmt"
$b =
"gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion"
condition:
any of them
}

14. 2021-10-19
14
ZUSO Generation
The best defense is offense.
r.py
● Encrypts disks via embedded RSA pubkey
○ subprocess.Popen(['/usr/local/sbin/7z', 'a', '-mx=0',
'-sdel', '-p' + random_id, enc_path, orig_path],
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
● What is the initial vector?
○ Did not catch it via honeypot (operator stopped operating by then)

15. 2021-10-19
15
ZUSO Generation
The best defense is offense.
Break HBS3 again!
Ta-Lun Yen, TXOne Networks

16. 2021-10-19
16
ZUSO Generation
The best defense is offense.
How HBS3 works?
● Enable syncing between cloud/NAS
● Client-Server architecture
● Server: Python-WSGI -> “rr2_server”
● Client: Python script “rr2_client”

17. 2021-10-19
17
ZUSO Generation
The best defense is offense.
How HBS3 works?
● Handlers

18. 2021-10-19
18
ZUSO Generation
The best defense is offense.
How HBS3 works?
● Handlers

19. 2021-10-19
19
ZUSO Generation
The best defense is offense.
How HBS3 is broken?
● plugin_cmd
● imports module directly and
run it

20. 2021-10-19
20
ZUSO Generation
The best defense is offense.
Custom commands
● Some interesting commands...

21. 2021-10-19
21
ZUSO Generation
The best defense is offense.
Custom commands
● Some interesting commands…
● Does not check for authentication
○ CVE-2021-28809 (9.8)
Missing Authentication for Critical Function RCE
○

22. 2021-10-19
22
ZUSO Generation
The best defense is offense.
Demo: Overtaking a QNAP NAS with ease!

23. 2021-10-19
23
ZUSO Generation
The best defense is offense.
Conclusion: Device fragmentation
● Example: HBS3 - 2 branches
− 3.x (QTS 4.3)
● arm, x86_64
− 16.x, 17.x (QTS 4.5)
● arm, x86_64
● arm, x86_64 looks the same, but 3.x, 16.x has quite big difference
● CVE-2021-28809 only exists in 3.x

24. 2021-10-19
24
ZUSO Generation
The best defense is offense.
What went wrong with HBS3 (and QTS)
Shirley Kuo, ZUSO Generation

25. 2021-10-19
25
ZUSO Generation
The best defense is offense.
Path Traversal - CVE-2021-28798
● CVE-2021-28798
● A relative path traversal vulnerability has been reported to affect QNAP
NAS running QTS and QuTS hero. If exploited, this vulnerability allows
attackers to modify files that impact system integrity.
● CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

26. 2021-10-19
26
ZUSO Generation
The best defense is offense.
Dissect QNAP packages

27. 2021-10-19
27
ZUSO Generation
The best defense is offense.
QuTScloud

28. 2021-10-19
28
ZUSO Generation
The best defense is offense.
SSH protocol

29. 2021-10-19
29
ZUSO Generation
The best defense is offense.
Text Editor

30. 2021-10-19
30
ZUSO Generation
The best defense is offense.
Amazing CGI :)

31. 2021-10-19
31
ZUSO Generation
The best defense is offense.
Amazing CGI

32. 2021-10-19
32
ZUSO Generation
The best defense is offense.
Amazing CGI

33. 2021-10-19
33
ZUSO Generation
The best defense is offense.
Amazing CGI

34. 2021-10-19
34
ZUSO Generation
The best defense is offense.
Path Traversal

35. 2021-10-19
35
ZUSO Generation
The best defense is offense.
Shopping Time!!

36. 2021-10-19
36
ZUSO Generation
The best defense is offense.
Where is the Vulnerability Application?!

37. 2021-10-19
37
ZUSO Generation
The best defense is offense.
Never Give Up

38. 2021-10-19
38
ZUSO Generation
The best defense is offense.
Low Permission

39. 2021-10-19
39
ZUSO Generation
The best defense is offense.
Path Traversal - CVE-2021-28798

40. 2021-10-19
40
ZUSO Generation
The best defense is offense.
Overwrite something...

41. 2021-10-19
41
ZUSO Generation
The best defense is offense.
Privilege Escalation
● Apache launch by administrator
● Modify time can be able to bypass

42. 2021-10-19
42
ZUSO Generation
The best defense is offense.
Backdoor - CVE-2021-28799
● CVE-2021-28799
● An improper authorization vulnerability has been reported to affect
QNAP NAS running HBS 3 (Hybrid Backup Sync.) If exploited, the
vulnerability allows remote attackers to log in to a device.
● CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

43. 2021-10-19
43
ZUSO Generation
The best defense is offense.
Backdoor - CVE-2021-28799
● jisoosocoolhbsmgnt

44. 2021-10-19
44
ZUSO Generation
The best defense is offense.
Real NAS Device

45. 2021-10-19
45
ZUSO Generation
The best defense is offense.
First Step

46. 2021-10-19
46
ZUSO Generation
The best defense is offense.
Man-in-the-Middle

47. 2021-10-19
47
ZUSO Generation
The best defense is offense.
Source Code

48. 2021-10-19
48
ZUSO Generation
The best defense is offense.
Ask Google...
● authLogin.cgi

49. 2021-10-19
49
ZUSO Generation
The best defense is offense.
Where is CGI located?

50. 2021-10-19
50
ZUSO Generation
The best defense is offense.
hbs_mgnt.cgi

51. 2021-10-19
51
ZUSO Generation
The best defense is offense.
Code Review
● hbs_mgnt.cgi
● -> main()

52. 2021-10-19
52
ZUSO Generation
The best defense is offense.
Code Review
● hbs_mgnt.cgi
● -> run_module()

53. 2021-10-19
53
ZUSO Generation
The best defense is offense.
Code Review
● hbs_mgnt.cgi
● -> run_module()
● -> check_sid_and_get_act_module()

54. 2021-10-19
54
ZUSO Generation
The best defense is offense.
Code Review
● Fixed sid!?

55. 2021-10-19
55
ZUSO Generation
The best defense is offense.
Code Review
● Check of POST verb
● Check if content-type is json or multipart
● Check args for this act

56. 2021-10-19
56
ZUSO Generation
The best defense is offense.
Code Review

57. 2021-10-19
57
ZUSO Generation
The best defense is offense.
Parameters

58. 2021-10-19
58
ZUSO Generation
The best defense is offense.
QLocker BTC

59. 2021-10-19
59
ZUSO Generation
The best defense is offense.
Enterprise offering from QNAP
Shirley Kuo, ZUSO Generation

60. 2021-10-19
60
ZUSO Generation
The best defense is offense.
QSAN CVEs...

61. 2021-10-19
61
ZUSO Generation
The best defense is offense.
Dissecting QSAN
● Path Traversal
● Command injection
● Hard-coded Password
● Directory Listing
● Improper Access Control
● Other

62. 2021-10-19
62
ZUSO Generation
The best defense is offense.
Command Injection

63. 2021-10-19
63
ZUSO Generation
The best defense is offense.
Hard-coded Password

64. 2021-10-19
64
ZUSO Generation
The best defense is offense.
Improper Access Control

65. 2021-10-19
65
ZUSO Generation
The best defense is offense.
Results & Conclusion
Ta-Lun Yen, TXOne Networks

66. 2021-10-19
66
ZUSO Generation
The best defense is offense.
Results
● Broke HBS3 (QNAP QTS)
● Enterprise offering is not secure either (30+ CVEs in QSAN)

67. 2021-10-19
67
ZUSO Generation
The best defense is offense.
Results
● Common bad patterns
● No input validation
● Weak/Non-existing preconditions check
● XSS and “unlocked backdoor” still exists…
● We are surprised (this is 2021)

68. 2021-10-19
68
ZUSO Generation
The best defense is offense.
Suggestions
● Be cautious while writing code for devices
○ “Can it be abused?”
○ “Is it safe and is not ONLY safe in happy scenarios?”
● Employ 3rd-party code reviews
● For enterprise/SOHO/home users:
○ Lock your untrusted device down
■ Behind VPN, strict firewall rules, no external internet

69. 2021-10-19
69
ZUSO Generation
The best defense is offense.
Questions?
Ta-Lun Yen <talun_yen@trendmicro.com> @evanslify
Shirley Kuo <shirley@zuso.ai>