Walter way to create a zero day exploit. A.K.A. QNAP sucks at security
-
Maybe you've heard, but QNAP are having a pretty bad time right now. They've had a seemingly endless stream of zero day exploits for their NAS devices, which have left people getting hijacked, losing data, or wondering why their NAS is slow, due to the fact that hackers are using them to mine bitcoin, join bot networks, ransom their data, etc.
That's all been pretty bad, but I didn't really think it was interesting enough to post about. Then this happened...
https://forum.qnap.com/viewtopic.php?f=45&t=160849&start=450#p788325
The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".
"pwd_plain": "walter" "admin_pwd": "walter" NAS_PWD=walter SERVER_PLAIN_PWD=walter enc_pwd = 'RWxKZEJRUUk=' # enc 'walter" then b64 'enc_pwd': 'VAEC' # --> 'walter' --> fw ecrypted 'enc_pwd': 'ElJdBQQI' # --> 'walter' --> fw decrypted "name": "waltershao"
Yup, this guy has hard coded admin credentials into the code that can then be used to pwn your NAS. Luckily this guy has been kind enough to also include 2 of his email addresses in the source code ;-)
So, that's all pretty funny, some boneheaded developer leaves very harmful code in a production release. You'd be forgiven for thinking it's an easy mistake to make if he's an inexperienced, perhaps junior developer, or someone fresh out of university? Sadly no. This guy has been the technical manager of QNAP since 2013.
-
Some of the later posts in that thread suggest that the hardcoded passwords may only be in commented code, but :who_nose: what's actually true
-
These kinds of things do wonders for my impostor syndrome.
-
@DoctorJones
I keep reading the config file you posted in Mike Ehrmantraut's voice.
-
@DoctorJones said in Walter way to create a zero day exploit. A.K.A. QNAP sucks at security:
You'd be forgiven for thinking it's an easy mistake to make if he's an inexperienced, perhaps junior developer, or someone fresh out of university? Sadly no. This guy has been the technical manager of QNAP since 2013.
got promoted...
-
@homoBalkanus said in Walter way to create a zero day exploit. A.K.A. QNAP sucks at security:
These kinds of things do wonders for my impostor syndrome.
You can fix that for permanent by standing a few complete production systems.
The next step is to stagnate for a few decades and become a doorstop, traditionally.
-
@homoBalkanus said in Walter way to create a zero day exploit. A.K.A. QNAP sucks at security:
These kinds of things do wonders for my impostor syndrome.
I've got a confession to make: I don't actually have impostor syndrome - I've been faking it!
-
@DoctorJones said in Walter way to create a zero day exploit. A.K.A. QNAP sucks at security:
So, that's all pretty funny, some boneheaded developer leaves very harmful code in a production release. You'd be forgiven for thinking it's an easy mistake to make if he's an inexperienced, perhaps junior developer, or someone fresh out of university?
My experience says otherwise.
Sadly no. This guy has been the technical manager of QNAP since 2013.
Yep, sounds about right. Orv at b least in line with experience.