Vendor: ZSPACE
Affected products: Q2C NAS ≤ v1.1.0210050
Vendor Homepage: https://www.zspace.cn/
Vendor contact information: https://www.zspace.cn/about/ - kf@zspace.cn
The ZSPACE Q2C NAS contains a vulnerability that allows for the leakage and modification of arbitrary files within the internal system. This vulnerability stems from lax checks on symbolic links within external USB devices. Attackers can create a symlink to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files.
Format the USB drive to ext4 format, and then create a symbolic link within it, such as sudo ln -s / rootdir, to create a symbolic link to the root directory.
Then insert the USB flash drive into the external USB slot of the NAS device, and for example, enable the Samba service to directly access all directories and files of the device's internal system.
Moreover, it's not just about leaking files and it's also possible to tamper with files inside the NAS system using the Samba service, because symbolic links will follow.
Afterwards, by checking this system file on the device, we can find that it has also been modified.
NASchecker