Worm Exploits Shellshock Bug In QNAP Network-Attached Storage Systems

Worm Exploits Shellshock bug
Security researchers from Sans Institute have discovered a shellshock worm, which exploits QNAP Network-attached storage systems in the wild.

QNAP is a Taiwan-based firm that provides network solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, SOHO and home user needs.

Researchers says that the Shellshock is far from "over", with many devices still not patched and out there ready for exploitation. QNAP released a patch in october and many users are still not applied it.

About The Attack


The attack targets a QNAP CGI script, "/cgi-bin/authLogin.cgi", a well known vector for Shellshock on QNAP devices . This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware.

"This appears to implement a click fraud script against advertisement network 'JuiceADV'," Johannes B. Ullrich, dean of research at Sans, wrote. " A one liner shell script uploading part of /var/etc/CCcam.cfg to ppoolloo.altervista.com . My test QNAP system does not have this file, so I am not sure what they are after."

The script sets the DNS server to, creates an SSH server on port 26, adds an admin user called "request", downloads and copies a script to cgi-bin: armgH.cgi and exo.cgi and modifies autorun.sh to run the backdoors on reboot. Finally, the script downloads and installs the Shellshock patch from QNAP and reboot the device.

The Infected devices have been observed scanning for other vulnerable devices to spread the worm.

No comments

Powered by Blogger.