QNAP MusicStation and MalwareRemover are affected by arbitrary file upload and command injection vulnerabilities, leading to pre-authentication remote command execution with root privileges on the NAS.
dddda20f7202ce5358af06526c5259d1f75a28b841ba2fcc6fd3fd23682bb880
QNAP MusicStation (5M+ installs) and MalwareRemover (pre-installed and
"non-removable") official apps are affected by an arbitrary file upload
and a command injection vulnerabilities, leading to pre-auth remote
command execution with root privileges on the NAS.
QNAP has already released updates with patches in April.
The technical details are available at
https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/
--
polict
Research team director @ Shielder Srl
polict@shielder.it