Information

Vendor: ZSPACE

Affected products: Q2C NAS ≤ v1.1.0210050

Vendor Homepage: https://www.zspace.cn/

Vendor contact information: https://www.zspace.cn/about/ - kf@zspace.cn

Description

A vulnerability exists in the ZSPACE Q2C NAS device (firmware version ≤ v1.1.0210050), allowing remote command execution (RCE). Remote attackers can inject and execute arbitrary malicious commands into a remote target device by sending specially crafted POST requests to the /v2/file/safe/status interface, thereby gaining root privileges on the remote device and completely controlling and taking over the victim's NAS device.

Details

In the binary file /zspace/applications/services/zfilev2/zfilev2, the corresponding handler function for the /v2/file/safe/status interface is zfilev2_api.SafeStatus.

image.png

image.png

In the zfilev2_api.SafeStatus function, the value of the safe_dir field passed in the POST request is obtained, and then the clean process is performed. Then it needs to be verified by the zfilev2_pkg_zfspath_PathIsSnapshot function, otherwise an error will be reported.

image.png

image.png

In the zfilev2_pkg_zfspath_PathIsSnapshot function, the /tmp/zfsv3 prefix (if present) is first removed, and then regular expression matching is performed.

image.png

The regular expression for matching is as follows (^/(sata\\\\d+|nvme\\\\d+|esata\\\\d+)/snapshot/). It must conform to this format, for example, /sata11/snapshot/ .

image.png

Next, the safe_dir field will be appended with /cipher/gocryptfs.conf, and the existence of this path will be checked.