CVE-2019-7194
published 2019-12-05CVE-2019-7194: This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
82.97%
99.6th percentile
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | photo_station | < 6.0.3 | 6.0.3 |
| qnap | photo_station | < 5.7.10 | 5.7.10 |
| qnap | photo_station | < 5.4.9 | 5.4.9 |
| qnap | photo_station | < 5.2.11 | 5.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
url/photo/p/api/album.php
url/photo/slideshow.php
url/photo/p/api/video.php
url/cgi-bin/authLogin.cgi
url/cgi-bin/userConfig.cgi
path../../../../../share/Multimedia/.@__thumb/ps.app.token
path/mnt/ext/opt/photostation2/
cookieQMS_SID=../../../../../../../../../../mnt/ext/opt/photostation2/<dropper>.php
- →Detect path traversal sequences in the `filename` POST parameter to /photo/p/api/video.php targeting ps.app.token
- →Detect directory traversal sequences (../../) in the QMS_SID cookie value on requests to /photo/slideshow.php
- →Alert on unauthenticated POST to /photo/p/api/album.php with parameter a=setSlideshow&f=qsamplealbum as the first step of the exploit chain
- →Alert on POST to /cgi-bin/authLogin.cgi with app=PHOTO_STATION&auth=1&app_token= — indicates token-based auth abuse following LFI of ps.app.token
- →Alert on POST to /cgi-bin/userConfig.cgi with func=addPersonalSmtp used to inject a PHP payload via SMTP config field
- →HTTP 200 response containing 'NASVARS' string from /photo/<dropper>.php indicates successful PHP dropper execution
- →Module targets QNAP QTS 4.3.3 and QTS 4.3.6 with Photo Station 5.7.9; flag these version strings in banner/response fingerprinting ↗
- ·The exploit is a multi-step chain (7 HTTP requests); detection of any single step in isolation may produce false positives — correlate across the full sequence for high-fidelity alerting.
- ·The dropper PHP filename is randomly generated (6 lowercase alpha chars); pattern-match on short random .php filenames under /photo/ rather than a fixed filename.
- ·The QNAP HTTP server runs as root, meaning LFI can expose SSH private keys and password hashes — scope forensic investigation accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
QNAP Photo Station Path Traversal Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2019-7194 [CRITICAL] CWE-22 QNAP Photo Station Path Traversal Vulnerability
Vulnerability: QNAP Photo Station Path Traversal Vulnerability
Affected: QNAP Photo Station
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-7194
Remediation Due Date: 2022-06-22
GHSA
GHSA-4wch-cg8h-vqc6: This external control of file name or path vulnerability allows remote attackers to access or modify system files
ghsa_unreviewed·2022-05-24
CVE-2019-7194 [HIGH] CWE-22 GHSA-4wch-cg8h-vqc6: This external control of file name or path vulnerability allows remote attackers to access or modify system files
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
VulnCheck
QNAP Photo Station Path Traversal Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-7194 [CRITICAL] CWE-22 QNAP Photo Station Path Traversal Vulnerability
QNAP Photo Station Path Traversal Vulnerability
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Affected: QNAP Photo Station
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cyber.nj.gov/alerts-advisories/ech0raix-ransomware-targets-qnap-devices-in-recent-campaign; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a; https://www.greynoise.io/blog/
No detection rules found.
Nuclei
QNAP Photo Station < 6.0.3 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-7194 [CRITICAL] QNAP Photo Station < 6.0.3 - Remote Code Execution
QNAP Photo Station "
dropper_filename: "{{to_lower(rand_text_alpha(6))}}"
username: "{{to_lower(rand_text_alphanumeric(6))}}"
email_account: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"
email_passwd: "{{rand_text_alphanumeric(12)}}"
flow: |
http(1) && http(2) && http(3) && http(4) && http(5) && http(6) && http(7)
http:
# Step 1: Set up a fake album slideshow to obtain a usable album_id
- raw:
- |
POST /photo/p/api/album.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
a=setSlideshow&f=qsamplealbum
extractors:
- type: regex
name: album_id
group: 1
internal: true
regex:
- "([a-zA-Z0-9]+)"
# Step 2: Use album_id to get access_code and PHPSESSID from slideshow.php
- raw:
- |
GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
Host: {{Hostname}
Metasploit
QNAP QTS and Photo Station Local File Inclusion
metasploit
QNAP QTS and Photo Station Local File Inclusion
QNAP QTS and Photo Station Local File Inclusion
This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7194
2019-12-05
Published
2022-06-08
Added to CISA KEV
Exploited in the wild