[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] QNAP MusicStation/MalwareRemover Pre-Auth Root Remote Code Execution
From: polict of Shielder via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2021-05-27 15:23:58
Message-ID: d6913727-5460-2d54-41ab-ef895a92fedb () shielder ! it
[Download RAW message or body]
QNAP MusicStation (5M+ installs) and MalwareRemover (pre-installed and
"non-removable") official apps are affected by an arbitrary file upload
and a command injection vulnerabilities, leading to pre-auth remote
command execution with root privileges on the NAS.
QNAP has already released updates with patches in April.
The technical details are available at
https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/
--
polict
Research team director @ Shielder Srl
polict@shielder.it
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic