Decoding the CVE-2023-39296 Vulnerability: A Technical and PoC Analysis

The technical details and a proof-of-concept (PoC) were released for the recently patched security flaw, CVE-2023-39296, a critical vulnerability in QNAP’s QTS and QuTS hero operating systems.

This flaw rated 7.5 on the CVSS, is a prototype pollution vulnerability. It targets specific versions of the QNAP operating systems. Prototype pollution, a relatively obscure but dangerous vulnerability, allows remote attackers to alter the properties of an object’s prototype. In the case of QTS and QuTS hero, this flaw could enable attackers to override existing attributes with incompatible types, potentially crashing the system.

The technical intricacies and a proof-of-concept (PoC) exploit code of CVE-2023-39296 were unveiled by an independent security researcher, DCS, in collaboration with SSD Secure Disclosure. The vulnerability exploits a flaw in the JSON parsing functionality of QTS, leading to a type confusion error. Specifically, the json-object->data field was not properly validated, allowing attackers to hijack the control flow.

The /cgi-bin/qid/qidRequestV2.cgi binary, accessible via the network, becomes the gateway for exploitation. An unauthenticated attacker can execute arbitrary code with admin privileges, which in the QTS operating system is equivalent to root access. This vulnerability could be exploited by an attacker within the network or remotely if the HTTP server is configured for external access.

The root cause of this vulnerability is QTS’s JSON functionality, which is based on the MIT-licensed json-c project and implemented in /usr/lib/libqcloud.so. The function json_tokener_parse_verbose is designed to parse a JSON string and construct a JSON object. However, a critical lapse occurs when this function fails to verify the o_type field before adding values to a json_object. This oversight means that a specifically crafted JSON string can manipulate the system to treat a string or integer value as a struct lh_table.

struct json_object {
    enum json_type o_type; [1]
    json_func *_delete;
    json_func *_to_json_string;
    int ref_count;
    struct printbuf *pb;
    union data {
        boolean c_boolean;
        double c_double;
        int c_int;
        struct lh_table *c_object;
        struct array_list *c_array;
        char *c_string;
    } o;
};

This manipulation is particularly hazardous as it involves dereferencing a function pointer in lh_table, leading to potential control flow hijacking. A carefully crafted JSON string, like “702111234474983745 {}”, could cause the system to dereference an lh_table at an attacker-specified address.

To reproduce the crash simply issue the following curl request to the NAS:

curl -X POST -H "Content-Type: application/json" -d "4702111234474983745 {}" "{NAS_IP}:8080/cgi-bin/qid/qidRequestV2.cgi?param=value"

The discovery and subsequent disclosure of CVE-2023-39296 serve as a stark reminder of the ongoing cybersecurity challenges faced by NAS systems. As storage solutions become increasingly networked and accessible, they also become more vulnerable to sophisticated cyber-attacks.

For users and administrators of QNAP‘s QTS and QuTS hero systems, the revelation of CVE-2023-39296 is a call to action. Ensuring systems are updated to the latest versions is not just recommended; it is a necessity in safeguarding against such hidden, intricate vulnerabilities that lurk within the code.

Today, QNAP also published security advisories for other 14 vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage (NAS) devices.