(Pwn2Own) QNAP TS-464 QR Code Device CRLF Injection Arbitrary Configuration Change Vulnerability

May 19th, 2024

Vulnerability Details

This vulnerability allows remote attackers to make arbitrary changes to configuration on affected installations of QNAP TS-464 NAS devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the privWizard API endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to update configuration. An attacker can leverage this vulnerability to change the configuration of the system.

Additional Details

QNAP has issued an update to correct this vulnerability. More details can be found at:
https://www.qnap.com/en/security-advisory/qsa-24-09

Disclosure Timeline

  • 2023-11-09 - Vulnerability reported to vendor
  • 2024-05-19 - Coordinated public release of advisory
  • 2024-07-01 - Advisory Updated

Credit

LJP (@ljp_tw) and YingMuo (@YingMuo), working with DEVCORE Internship Program

Back to Advisories