A local password denial of service vulnerability was discovered by Luis Martinez in the QNAP QVR Professional Video Management Solution Client 220.127.116.11070 on Windows 10 Pro x64 es. The vulnerability was found to return a denial of service response when a clipboard password was entered. This vulnerability causes the software to crash preventing it from performing the functions and services it is intended to carry out for the user. A CVE code has not been assigned to the vulnerability as of yet and no mitigation or update patch has been released to resolve the issue.
The QNAP QVR version 5.1 client is a professional video management system for high resolution and fisheye security footage, accessible for viewing all in one window. The QVR system allows users to manage and monitor several IP identifiable cameras in a live view through a web browser in real time. The client allows users to control and zero in using the PTZ, fixed, and fisheye 360 surround cameras to keep a thorough and flexible eye on the scenes at hand. A smart recording feature increases video resolution transmitted when alarms are triggered, an intuitive playback mode pinpoints the distress point in a recorded footage, and the dual recording feature saves footage in HD 30fps locally even though the limited internet bandwidth is only able to transmit VHD 5fps at the time. Through the benefit of this thorough user interface, the QNAP QVR system is a popular security system integrated into many stores, homes, and offices for the ease of access that it serves.
According to Luis Martinez, if the following steps are carried out, a user can reproduce the password denial of access crash. This first requires running the python code “python QNap_QVR_Client_18.104.22.168070.py” (a plain text file with 279 letters) and then opening the QNap_QVR_Client_22.214.171.124070.txt file to copy the content to the clipboard. Next, opening QVR.exe > IP address in 10.10.10.1 / 80, enter the username as “admin” and paste the clipboard into the password dialogue box. Pressing okay then crashes the system. This occurs as the password entered is too long.
Since this is a local vulnerability, it becomes dangerous if the user’s credentials are not well protected or if the system is infected with malware that is able to elevate permissions and run arbitrary commands to execute this procedure.
Upon hearing from the Technical PR Manager of QNAP Marketing, Michael Wang, we were informed that the clipboard password DoS is “only a PC-side software bug without any surveillance server-side interruption or sensitive data leak concerns.” We were ensured that “while the PC client (for viewing surveillance video) is crashed, the surveillance server (for recording, located separately on our HW product) runs as usual and no interruptions occur.”