A threat researcher who goes by the name Max Kellermann found and detailed a high severity flaw in QNAP Devices. The flaw could allow anyone with local access to gain root privileges. Using the previously announced Linux vulnerability tracked as CVE-2022-0487, also known as Dirty Pipe, a local user could overwrite any file contents in the page cache, even if the file is not permitted to be written, immutable to the read-only mount. The flaw affects Linux version 5.8 and later. Another security researcher on Twitter, Phith0n explained that it is possible to use the exploit to modify the /etc/passwd file to set the root user without a password. Using this trick, a non-privileged user could execute the command ‘su root’ to gain access to the root account. There has been no patch to this flaw for QNAP at the time of writing, although several Linux distribution vendors have patched CVE-2022-0487 for their software.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is