QNAP QVR Security Client 5.1 Found Vulnerable to Clipboard Password DoS

A local password denial of service vulnerability was discovered by Luis Martinez in the QNAP QVR Professional Video Management Solution Client 5.1.1.30070 on Windows 10 Pro x64 es. The vulnerability was found to return a denial of service response when a clipboard password was entered. This vulnerability causes the software to crash preventing it from performing the functions and services it is intended to carry out for the user. A CVE code has not been assigned to the vulnerability as of yet and no mitigation or update patch has been released to resolve the issue.

The QNAP QVR version 5.1 client is a professional video management system for high resolution and fisheye security footage, accessible for viewing all in one window. The QVR system allows users to manage and monitor several IP identifiable cameras in a live view through a web browser in real time. The client allows users to control and zero in using the PTZ, fixed, and fisheye 360 surround cameras to keep a thorough and flexible eye on the scenes at hand. A smart recording feature increases video resolution transmitted when alarms are triggered, an intuitive playback mode pinpoints the distress point in a recorded footage, and the dual recording feature saves footage in HD 30fps locally even though the limited internet bandwidth is only able to transmit VHD 5fps at the time. Through the benefit of this thorough user interface, the QNAP QVR system is a popular security system integrated into many stores, homes, and offices for the ease of access that it serves.

According to Luis Martinez, if the following steps are carried out, a user can reproduce the password denial of access crash. This first requires running the python code “python QNap_QVR_Client_5.1.1.30070.py” and then opening the QNap_QVR_Client_5.1.1.30070.txt file to copy the content to the clipboard. Next, opening QVR.exe > IP address in 10.10.10.1 / 80, enter the username as “admin” and paste the clipboard into the password dialogue box. Pressing okay then crashes the system.

Since this is a local vulnerability, it becomes highly dangerous if the user’s credentials are not well protected or if the system is infected with malware that is able to elevate permissions and run arbitrary commands to execute this procedure. Crashing the system could terminate access to the live footage as well as the dual recording feature, making crime escapable under the camera’s eye.

The post QNAP QVR Security Client 5.1 Found Vulnerable to Clipboard Password DoS appeared first on Appuals.com.