Saturday, December 21, 2013

Synology DSM multiple directory traversal

I'm again here with a Synology DSM vulnerability.

I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.

The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.

Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi

Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.

Version affected: <= 4.3-3810

More info here: http://www.andreafabrizi.it/?exploits:dsm_2

Saturday, October 19, 2013

DropShell: a Dropbox-Uploader based shell!

With the last Dropbox Uploader update, I've released the first version of DropShell,  an interactive DropBox shell.

DropShell allows you to interact with your DropBox folder using a terminal like interface, supporting the most common unix commands: ls, cd, pwd, get, put, cat, rm, mkdir, mv, cp, free, lls, lpwd, lcd, help, exit.


DropShell v0.1
The Intractive DropBox SHELL
Andrea Fabrizi - [email protected]

Type help for the list of the available commands.

andrea@DropBox:/$ ls
 [D] Camera Uploads
 [D] Public
 [D] scripts
 [D] ServerBackup
andrea@DropBox:/$ cd ServerBackup
andrea@DropBox:/ServerBackup$ ls
 [F] backup.zip
andrea@DropBox:/ServerBackup$ get backup.zip


Fork it on github!

Thursday, September 19, 2013

How to mount a JFFS2 image

Mount a JFFS2 image:

$ sudo su
$ mkdir /mnt/image
$ modprobe mtdram total_size=deviceSize erase_size=128
$ modprobe mtdblock
$ dd if=jffs2_image.bin of=/dev/mtdblock0
$ mount -t jffs2 /dev/mtdblock0 /mnt/image
$ cd /mnt/image

deviceSize: size of the virtual MTD device in Kb (choose a size greater than the image size)

This procedure is also useful when you need to emulate an MTD device for testing or other purposes.

Tuesday, September 10, 2013

Synology DSM <= 4.3-3776 multiple vulnerabilities

After a reverse engineering of the firmware, I found some interesting vulnerabilities that affects the latest version of the Synology DSM:

  • Remote file download 
  • Command injection
  • Partial remote content download
  • Cross-site scripting