Saturday, December 21, 2013

Synology DSM multiple directory traversal

I'm again here with a Synology DSM vulnerability.

I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.

The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.

Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi

Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.

Version affected: <= 4.3-3810

More info here: http://www.andreafabrizi.it/?exploits:dsm_2