{"id":7719,"date":"2017-05-21T14:19:31","date_gmt":"2017-05-21T22:19:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/21\/news-1504\/"},"modified":"2017-05-21T14:19:31","modified_gmt":"2017-05-21T22:19:31","slug":"news-1504","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/21\/news-1504\/","title":{"rendered":"SSD Advisory \u2013 Synology DiskStation Manager Multiple Stored Cross-Site Scripting"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 21 May 2017 15:17:30 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3075\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3075');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).<\/p>\n<ol>\n<li>Cross-site scripting stored in <em>SWF<\/em> file<\/li>\n<li>Cross-site scripting stored in <em>Video Station<\/em> application<\/li>\n<\/ol>\n<p>Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Repeated emails (support@cynology.com) sent to the vendor, since March, were answered with unclear answers:<br \/> &#8220;Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it&#8217;s been logged as a known issue now.<br \/> So, your report to us is highly appreciated and we thank you very much for your help!&#8221;<\/p>\n<p>We therefore don&#8217;t know at this time whether this vulnerabilities were or not resolved.<\/p>\n<p><span id=\"more-3075\"><\/span><\/p>\n<p><strong>Vulnerabilities Details<\/strong><\/p>\n<p><u>Cross-site scripting stored in <em>SWF<\/em> file<\/u><br \/> When a user use the &#8220;Open in a new window&#8221; function on SEF file, the DiskStation Manager operating system render the file and execute the content automatically. An attacker can upload malicious SWF file to trigger the XSS vulnerability.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<ol>\n<li>Sign in to Synology<\/li>\n<li>Open File Station (We chose the folder where we want to upload the malicious file.)<\/li>\n<li>Right click > Load in home > Load &#8211; Skip<\/li>\n<li>Select the *.swf file (which you want to upload) <\/li>\n<li>After you have uploaded the file, right click and &#8220;Open in a new window&#8221;<\/li>\n<li>The XSS has been executed correctly.<\/li>\n<\/ol>\n<p><u>Cross-site scripting stored in <em>Video Station<\/em> application<\/u><br \/> Video Station application installed by default in DiskStation Manager operating system. By insert malicious script into &#8220;Title&#8221; tab that can be found in &#8220;Video Information&#8221; an attacker can trigger the XSS vulnerability.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<ol>\n<li>Go to Video Station<\/li>\n<li>Select a video > Choose &#8220;&#8230;&#8221;<\/li>\n<li>Click on &#8220;Edit Video Information&#8221;<\/li>\n<li>In the &#8220;Title&#8221; option, insert the following payload:\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5922127294cc3813080686\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Stored_XSS&#8221;&gt;&lt;img src=x onerror=prompt(document.domain);&gt; &gt; Save&lt;\/li&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->   \t<\/li>\n<li>Click again on &#8220;&#8230;&#8221;<\/li>\n<li>Choose the option &#8220;Shared public use&#8221;<\/li>\n<li>Click on checkbox > Go to link<\/li>\n<li>The XSS has been executed correctly.<\/li>\n<\/ol>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3075\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 21 May 2017 15:17:30 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM). Cross-site scripting stored in SWF file Cross-site scripting stored in Video Station application Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3075\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Synology DiskStation Manager Multiple Stored Cross-Site Scripting<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,10757],"class_list":["post-7719","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7719"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7719\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}