Saturday, December 21, 2013

Synology DSM multiple directory traversal

I'm again here with a Synology DSM vulnerability.

I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.

The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.

Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi

Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.

Version affected: <= 4.3-3810

More info here: http://www.andreafabrizi.it/?exploits:dsm_2

3 comments:

shutin said...

Thank you for this work. I hope Synology will start locking down their devices a bit better, I'm too worried to use it to it's full potential. Did you find anything else interesting?

Zafar Khatri said...

I digged this for more news from you. allungamento ciglia

albina N muro said...

Orla James create and provide diamond rings, necklaces, diamond earrings and wedding rings. sistemi di gestione viterbo