A privileged user can obtain remote code execution on Q’center through a manipulated QPKG installation package.
“Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.” For more information visit https://www.qnap.com/solution/qcenter.
QNAP Q’center, a central management platform that enables to consolidate the management of multiple QNAP NAS, allows to upload and install QPKG packages.
“A QPKG file makes it easy for anyone to install and remove packages. It also gives a package maintainer almost total control on how the package is installed on the NAS.” from QPKG Development Guidelines.
By opening a QPKG file with a hex editor it’s immediately clear that the structure is composed by an initial script ending with
exit 10 followed by a tar.gz archive.
As the initial script seems to rule the archive extraction it is legitimate to think that it is extracted from the QPKG file and executed to extract what follows.
Q’center is available as a WMware appliance and it is possible to easily extract the Python code from its disk. The following script
/opt/qnap-cms/qnap-cms/python/hawkeye/patch.py was extracted from it and it responbile to check a QKPG when it is uploaded to the Q’center.
The function extracts the update file (a tar.gz containing the QPKG one) at  and , then it executes the system command
As stated before the QPKG file could be interpreted as a shell script, so its content is executed on the Q’center instance, allowing to execute arbitrary commands on it.
The complete PoC code can be found on this repo.
A privilege attacker could obtain command execution on a Q’center instance.
Our tests targeted the QNAP Q’center Virtual Appliance, and this vulnerability was identified in version 1.12.1014.
After reporting the vulnerability to QNAP they declared as patched the following QTS versions so we assume that the vulnerability affected both QTS and Q’center:
(Note: we didn’t verify the patches.)
This report was subject to Shielder’s disclosure policy:
`zi0Black` of Shielder
This advisory was first published on https://www.shielder.com/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/
3 June 2021