ID

VAR-201009-0275


CVE

CVE-2010-2453


TITLE

Synology Disk Station Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2010-002952

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue. Synology DiskStation Manager is prone to multiple HTML-injection vulnerabilities because the device's web-based administration application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Synology DiskStation Manager 2.x is vulnerable; other versions may also be affected. Synology DiskStation (DSM) is a network storage server (NAS) from Synology, which can be used as a file sharing center in a local area network. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Web commands injection through FTP Login in Synology Disk Station CVE-2010-2453 INTRODUCTION Synology Inc develops high-performance, reliable, versatile, and environmentally-friendly Network Attached Storage (NAS) products. Synology's goal is to deliver user-friendly storage solutions and solid customer service to satisfy the needs of businesses, home offices, individual users and families. The disk station product provided by Synology as Network Attached Storage is vulnerable to multiple vulnerabilities including the possibility of remote command execution via CSRF (Cross Site Request Forging) through FTP login console. The FTP server is provided as a configurable service through web interface which provides backend access to manage the disks station. The problem occurs in the FTP logging mechanism together with the admin interface used to view those logs. The FTP console input in the form username and password gets logged in the web application interface. This problem was confirmed in the following versions of Synology Disk Station, other versions may be also affected. Synology Disk Station 2.x Synology issued an update for this vulnerability in the release DSM3.0-1337. CVSS Scoring System The CVSS score is: 9.5 Base Score: 10 Temporal Score: 9.5 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:F/RL:U/RC:C DETAILS There are four steps for exploitation, specified here together with the identified problem: 1. The attacker can inject malicious input from the FTP login console. As the authentication credentials are inappropriate the FTP authentication module generates error and the requisite input is logged in to the web interface of the disk station. 2. Secondly the FTP logging module is not designed appropriately and the content comes from the FTP login console is directly placed into the log window without verification of the Content-Type parameter. The content is allowed to be rendered as HTML, Script etc. An attacker can inject malicious HTML tags, DOM calls, third part y scripts, CSRF calls that gets executed in the context of logged in account which is administering it. 3. Usually log mechanism is handled by the admin account. The chances of code execution and injection fulfillment are high within full privileges as of administrator. So any code injected by the attacker becomes persistent in most of the cases and remain there for execution. Moreover CSRF code with malicious calls can be executed without user interaction. 4. Attacker has to be well versed in directory structure of the disk station manager so that injections can be made according to that and further operations can be performed. The FTP servers accept username string upto 80-100 characters which is good enough to craft injections to get the things done The scripts can be inserted from local domain or LAN or third party source to inject arbitrary code. C:\Users\Administrator>ftp example.com Connected to example.com. 220 Disk Station FTP server at DiskStation ready. User (example.com:(none)): "/><script>alert("Check Point VDT"</script> 331 Password required for "/><script>alert("Check Point VDT"</script> Password: 530 Login incorrect. Login failed. ftp> Invalid command. ftp> bye 421 Timeout (300 seconds): closing control connection. In order to determine the size of the allowed input string, we can do: C:\Users\Administrator>ftp example.com Connected to example.com. 220 Disk Station FTP server at DiskStation ready. User (example.com:(none)): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> Our input 331 Password required for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. -> The total lenght really used Password: 530 Login incorrect. Login failed. ftp> Invalid command. ftp> bye 421 Timeout (300 seconds): closing control connection. CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT) and Aditya K. Sood from Secniche. Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Trust: 2.07

sources: NVD: CVE-2010-2453 // JVNDB: JVNDB-2010-002952 // BID: 43542 // VULHUB: VHN-45058 // PACKETSTORM: 94283

AFFECTED PRODUCTS

vendor:synologymodel:dsmscope:eqversion:2.3-1161

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.2-1041

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.2-1042

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:3.0-1334

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.2-0942

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.3-1157

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.3-1144

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.3-1139

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.3-1141

Trust: 1.6

vendor:synologymodel:dsmscope:eqversion:2.2-1045

Trust: 1.6

vendor:synologymodel:diskstation managerscope:eqversion:3.0-1337

Trust: 0.8

vendor:synologymodel:diskstation managerscope:ltversion:2.x

Trust: 0.8

vendor:synologymodel:diskstation managerscope:eqversion:2.x

Trust: 0.3

sources: BID: 43542 // JVNDB: JVNDB-2010-002952 // CNNVD: CNNVD-201009-279 // NVD: CVE-2010-2453

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-2453
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-2453
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201009-279
value: MEDIUM

Trust: 0.6

VULHUB: VHN-45058
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-2453
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-45058
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-45058 // JVNDB: JVNDB-2010-002952 // CNNVD: CNNVD-201009-279 // NVD: CVE-2010-2453

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-45058 // JVNDB: JVNDB-2010-002952 // NVD: CVE-2010-2453

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201009-279

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201009-279

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-002952

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-45058

PATCH

title:Top Pageurl:http://www.synology.com/index.php?lang=default

Trust: 0.8

title:synology_x86_1010+_1337url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=34456

Trust: 0.6

sources: JVNDB: JVNDB-2010-002952 // CNNVD: CNNVD-201009-279

EXTERNAL IDS

db:NVDid:CVE-2010-2453

Trust: 2.9

db:JVNDBid:JVNDB-2010-002952

Trust: 0.8

db:CNNVDid:CNNVD-201009-279

Trust: 0.7

db:BUGTRAQid:20100926 WEB COMMANDS INJECTION THROUGH FTP LOGIN IN SYNOLOGY DISK STATION - CVE-2010-2453

Trust: 0.6

db:BIDid:43542

Trust: 0.4

db:PACKETSTORMid:94283

Trust: 0.2

db:VULHUBid:VHN-45058

Trust: 0.1

sources: VULHUB: VHN-45058 // BID: 43542 // JVNDB: JVNDB-2010-002952 // PACKETSTORM: 94283 // CNNVD: CNNVD-201009-279 // NVD: CVE-2010-2453

REFERENCES

url:http://www.securityfocus.com/archive/1/513970/100/0/threaded

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2453

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2453

Trust: 0.8

url:http://www.securityfocus.com/archive/1/archive/1/513970/100/0/threaded

Trust: 0.6

url:http://www.synology.com/enu/index.php

Trust: 0.3

url:http://www.checkpoint.com/defense/

Trust: 0.1

url:http://lists.grok.org.uk/full-disclosure-charter.html

Trust: 0.1

url:http://secunia.com/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2010-2453

Trust: 0.1

sources: VULHUB: VHN-45058 // BID: 43542 // JVNDB: JVNDB-2010-002952 // PACKETSTORM: 94283 // CNNVD: CNNVD-201009-279 // NVD: CVE-2010-2453

CREDITS

Rodrigo Rubira Branco, Check Point Vulnerability Discovery Team (VDT) and Aditya K. Sood, Secniche

Trust: 0.3

sources: BID: 43542

SOURCES

db:VULHUBid:VHN-45058
db:BIDid:43542
db:JVNDBid:JVNDB-2010-002952
db:PACKETSTORMid:94283
db:CNNVDid:CNNVD-201009-279
db:NVDid:CVE-2010-2453

LAST UPDATE DATE

2024-11-23T21:56:17.657000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-45058date:2018-10-10T00:00:00
db:BIDid:43542date:2010-09-28T00:00:00
db:JVNDBid:JVNDB-2010-002952date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201009-279date:2010-10-11T00:00:00
db:NVDid:CVE-2010-2453date:2024-11-21T01:16:41.670

SOURCES RELEASE DATE

db:VULHUBid:VHN-45058date:2010-09-29T00:00:00
db:BIDid:43542date:2010-09-28T00:00:00
db:JVNDBid:JVNDB-2010-002952date:2012-03-27T00:00:00
db:PACKETSTORMid:94283date:2010-09-28T02:17:53
db:CNNVDid:CNNVD-201009-279date:2010-09-29T00:00:00
db:NVDid:CVE-2010-2453date:2010-09-29T17:00:02.993