Lucene search
+L

Synology DiskStation Manager (DSM) Web Administration Interface Default Credentials

🗓️ 16 Sep 2016 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 290 Views

Synology DiskStation Manager Web Administration Interface Default Credential

Refs
Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93560);
  script_version("1.5");
  script_cvs_date("Date: 2018/08/08 12:52:13");


  script_name(english:"Synology DiskStation Manager (DSM) Web Administration Interface Default Credentials");
  script_summary(english:"Attempts to login with default credentials.");

  script_set_attribute(attribute:"synopsis", value:
"The Synology DiskStation Manager (DSM) web administration interface
running on the remote host uses a known set of default credentials.");
  script_set_attribute(attribute:"description", value:
"The web administration interface for the Synology DiskStation Manager
(DSM) application running on the remote host uses a default blank
password for the administrator account. A remote attacker can exploit
this to gain administrative access to the web interface.");
  script_set_attribute(attribute:"solution", value:
"Change the default administrative login credentials. Alternatively,
upgrading to DiskStation Manager version 6.0-7321 or later will cause
administrative accounts with blank passwords to be disabled after the
upgrade, and consequently a password reset will be required.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"see_also", value:"https://www.synology.com/en-global/releaseNote/DS114");
  # https://www.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_do_I_log_in_if_I_forgot_the_admin_password
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b85db768");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:synology:diskstation_manager");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("synology_diskstation_manager_detect.nbin");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/www", 5000, 5001);
  script_require_keys("www/synology_dsm");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Synology DiskStation Manager (DSM)";
port = get_http_port(default:5001, embedded:TRUE);
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

appname = "synology_dsm";
get_install_count(app_name:appname, exit_if_zero:TRUE);
install = get_single_install(
  app_name: appname,
  port: port,
  exit_if_unknown_ver:FALSE);
dir = install['path'];


url = dir + '/login.cgi?enable_syno_token=yes';
install_url = build_url(qs:url, port:port);
postdata = 'username=admin&passwd=&OTPcode=&__cIpHeRtExT=&client_time=0&isIframeLogin=yes';

res = http_send_recv3(
  port            : port,
  method          : 'POST',
  item            : url,
  data            : postdata,
  add_headers     : make_array('Referer', install_url),
  content_type    : "application/x-www-form-urlencoded",
  exit_on_fail    : TRUE);

# SynoToken is only in the response body if we
# have successful auth. We will also see a Set-Cookie
# header for the 'id' session cookie for successful auth.
if ("SynoToken" >< res[2] && 'Set-Cookie' >< res[1])
{
  report = '\nNessus was able to authenticate to the remote host using the username' +
           '\n"admin" with a blank password within the following request :' +
           '\n\n' +
           http_last_sent_request() +
           '\n';

  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation