module
Synology DiskStation Manager smart.cgi Remote Command Execution
| Disclosed |
|---|
| Nov 8, 2017 |
Disclosed
Nov 8, 2017
Description
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions privileges after website authentication.
The vulnerability is located in webman/modules/StorageManager/smart.cgi, which
allows appending of a command to the device to be scanned. However, the command
with drive is limited to 30 characters. A somewhat valid drive name is required,
thus /dev/sd is used, even though it doesn't exist. To circumvent the character
restriction, a wget input file is staged in /a, and executed to download our payload
to /b. From there the payload is executed. A wfsdelay is required to give time
for the payload to download, and the execution of it to run.
versions privileges after website authentication.
The vulnerability is located in webman/modules/StorageManager/smart.cgi, which
allows appending of a command to the device to be scanned. However, the command
with drive is limited to 30 characters. A somewhat valid drive name is required,
thus /dev/sd is used, even though it doesn't exist. To circumvent the character
restriction, a wget input file is staged in /a, and executed to download our payload
to /b. From there the payload is executed. A wfsdelay is required to give time
for the payload to download, and the execution of it to run.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.