I'm again here with a Synology DSM vulnerability.
I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.
The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.
Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi
Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.
Version affected: <= 4.3-3810
More info here: http://www.andreafabrizi.it/?exploits:dsm_2
Saturday, December 21, 2013
Saturday, October 19, 2013
DropShell: a Dropbox-Uploader based shell!
With the last Dropbox Uploader update, I've released the first version of DropShell, an interactive DropBox shell.
DropShell allows you to interact with your DropBox folder using a terminal like interface, supporting the most common unix commands: ls, cd, pwd, get, put, cat, rm, mkdir, mv, cp, free, lls, lpwd, lcd, help, exit.
Fork it on github!
DropShell allows you to interact with your DropBox folder using a terminal like interface, supporting the most common unix commands: ls, cd, pwd, get, put, cat, rm, mkdir, mv, cp, free, lls, lpwd, lcd, help, exit.
DropShell v0.1
The Intractive DropBox SHELL
Andrea Fabrizi - [email protected]
Type help for the list of the available commands.
andrea@DropBox:/$ ls
[D] Camera Uploads
[D] Public
[D] scripts
[D] ServerBackup
andrea@DropBox:/$ cd ServerBackup
andrea@DropBox:/ServerBackup$ ls
[F] backup.zip
andrea@DropBox:/ServerBackup$ get backup.zip
Fork it on github!
Thursday, September 19, 2013
How to mount a JFFS2 image
Mount a JFFS2 image:
$ sudo su
$ mkdir /mnt/image
$ modprobe mtdram total_size=deviceSize erase_size=128
$ modprobe mtdblock
$ dd if=jffs2_image.bin of=/dev/mtdblock0
$ mount -t jffs2 /dev/mtdblock0 /mnt/image
$ cd /mnt/image
deviceSize: size of the virtual MTD device in Kb (choose a size greater than the image size)
This procedure is also useful when you need to emulate an MTD device for testing or other purposes.
$ sudo su
$ mkdir /mnt/image
$ modprobe mtdram total_size=deviceSize erase_size=128
$ modprobe mtdblock
$ dd if=jffs2_image.bin of=/dev/mtdblock0
$ mount -t jffs2 /dev/mtdblock0 /mnt/image
$ cd /mnt/image
deviceSize: size of the virtual MTD device in Kb (choose a size greater than the image size)
This procedure is also useful when you need to emulate an MTD device for testing or other purposes.
Tuesday, September 10, 2013
Synology DSM <= 4.3-3776 multiple vulnerabilities
After a reverse engineering of the firmware, I found some interesting vulnerabilities that affects the latest version of the Synology DSM:
- Remote file download
- Command injection
- Partial remote content download
- Cross-site scripting
More information here: http://www.andreafabrizi.it/?exploits:dsm
Subscribe to:
Posts (Atom)