CVE-2019-7195
published 2019-12-05CVE-2019-7195: This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
89.68%
99.8th percentile
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | photo_station | < 6.0.3 | 6.0.3 |
| qnap | photo_station | < 5.7.10 | 5.7.10 |
| qnap | photo_station | < 5.4.9 | 5.4.9 |
| qnap | photo_station | < 5.2.11 | 5.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
url/photo/p/api/album.php
url/photo/slideshow.php
url/photo/p/api/video.php
path.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
- →Exploit chain uses three sequential HTTP requests: (1) POST to /photo/p/api/album.php with a=setSlideshow to create an album, (2) GET to /photo/slideshow.php to extract album_id and access_code, (3) POST to /photo/p/api/video.php with path traversal payload in the 'filename' parameter targeting /etc/passwd.
- →Successful exploitation of the path traversal is confirmed when the response body contains 'admin:' (passwd file content) and the Content-Type header includes both 'video/subtitle' and 'filename='.
- →The module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9; the HTTP server runs as root, enabling access to SSH private keys and password hashes. ↗
- →Shodan queries can be used to identify exposed QNAP Photo Station instances: search for content-length '580' with 'http server 1.0', or HTTP title 'photo station' or 'qnap'.
- ·The exploit requires a multi-step authentication bypass chain (CVE-2019-7192 album creation + CVE-2019-7195 path traversal); the album_id and access_code extracted from intermediate responses are required parameters for the final traversal request.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
QNAP Photo Station Path Traversal Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2019-7195 [CRITICAL] CWE-22 QNAP Photo Station Path Traversal Vulnerability
Vulnerability: QNAP Photo Station Path Traversal Vulnerability
Affected: QNAP Photo Station
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-7195
Remediation Due Date: 2022-06-22
GHSA
GHSA-5h7g-3542-fw4q: This external control of file name or path vulnerability allows remote attackers to access or modify system files
ghsa_unreviewed·2022-05-24
CVE-2019-7195 [HIGH] CWE-22 GHSA-5h7g-3542-fw4q: This external control of file name or path vulnerability allows remote attackers to access or modify system files
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
VulnCheck
QNAP Photo Station Path Traversal Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-7195 [CRITICAL] CWE-22 QNAP Photo Station Path Traversal Vulnerability
QNAP Photo Station Path Traversal Vulnerability
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Affected: QNAP Photo Station
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cyber.nj.gov/alerts-advisories/ech0raix-ransomware-targets-qnap-devices-in-recent-campaign; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a; https://www.greynoise.io/blog/
Suricata
ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)
suricata·2022-08-31·CVSS 9.8
CVE-2019-7195 [CRITICAL] ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)
ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/photo/p/api/video.php"; fast_pattern; http.request_body; content:"filename|27 3a 20 27|"; content:"./."; within:4; reference:cve,2019-7195; classtype:attempted-admin; sid:2038698; rev:2; metadata:created_at 2022_08_31, cve CVE_2019_7195, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique
Nuclei
QNAP Photo Station - Path Traversal
nuclei·CVSS 9.8
CVE-2019-7195 [CRITICAL] QNAP Photo Station - Path Traversal
QNAP Photo Station - Path Traversal
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Template:
id: CVE-2019-7195
info:
name: QNAP Photo Station - Path Traversal
author: s4e-io
severity: critical
description: |
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
impact: |
Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
remediation: |
Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
reference:
- https://cycrafttechno
Metasploit
QNAP QTS and Photo Station Local File Inclusion
metasploit
QNAP QTS and Photo Station Local File Inclusion
QNAP QTS and Photo Station Local File Inclusion
This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7195
2019-12-05
Published
2022-06-08
Added to CISA KEV
Exploited in the wild