Information

Vendor: ZSPACE

Affected products: Q2C NAS ≤ v1.1.0210050

Vendor Homepage: https://www.zspace.cn/

Vendor contact information: https://www.zspace.cn/about/ - kf@zspace.cn

Description

A vulnerability exists in the ZSPACE Q2C NAS device (firmware version ≤ v1.1.0210050), allowing unauthorized remote command execution (RCE). An attacker can inject and execute arbitrary malicious commands into the remote target device by sending a specially crafted POST request to the /v2/file/safe/close interface without authorization verification. This allows the attacker to gain root privileges on the remote device and completely control and take over the victim's NAS.

Details

In the binary file /zspace/applications/services/zfilev2/zfilev2, the corresponding handler function for the /v2/file/safe/close interface is zfilev2_api.CloseSafe.

image.png

image.png

In the zfilev2_api.CloseSafe function, the value of the safe_dir field passed in the POST request is obtained, and then the clean process is performed. Then it needs to be verified by the zfilev2_pkg_zfspath_PathIsSnapshot function, otherwise an error will be reported.

image.png

image.png

In the zfilev2_pkg_zfspath_PathIsSnapshot function, the /tmp/zfsv3 prefix (if present) is first removed, and then regular expression matching is performed.

image.png

The regular expression for matching is as follows (^/(sata\\\\d+|nvme\\\\d+|esata\\\\d+)/snapshot/). It must conform to this format, for example, /sata11/snapshot/ .

image.png

After inspection, the safe_dir field is ultimately appended to the command and executed without any filtering.