module
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
| Disclosed | Created |
|---|---|
| 2013-10-31 | 2018-05-30 |
Disclosed
2013-10-31
Created
2018-05-30
Description
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions 4.x, which allows the execution of arbitrary commands under root
privileges.
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
can be triggered by an unauthenticated user with a specially crafted HTTP request.
This is exploited by this module to append the given commands to /redirect.cgi,
which is a regular shell script file, and can be invoked with another HTTP request.
Synology reported that the vulnerability has been fixed with versions 4.0-2259,
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
versions 4.x, which allows the execution of arbitrary commands under root
privileges.
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
can be triggered by an unauthenticated user with a specially crafted HTTP request.
This is exploited by this module to append the given commands to /redirect.cgi,
which is a regular shell script file, and can be invoked with another HTTP request.
Synology reported that the vulnerability has been fixed with versions 4.0-2259,
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
Author
Markus Wulftange
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.