Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24815
HistorySep 29, 2010 - 12:00 a.m.

Web commands injection through FTP Login in Synology Disk Station - CVE-2010-2453

2010-09-2900:00:00
vulners.com
121
JSON

Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Web commands injection through FTP Login in Synology Disk Station
CVE-2010-2453

INTRODUCTION

Synology Inc develops high-performance, reliable, versatile, and environmentally-friendly Network Attached Storage (NAS) products. Synology's goal
is to deliver user-friendly storage solutions and solid customer service to satisfy the needs of businesses, home offices, individual users and
families.

The disk station product provided by Synology as Network Attached Storage is vulnerable to multiple vulnerabilities including the possibility of
remote command execution via CSRF (Cross Site Request Forging) through FTP login console. The FTP server is provided as a configurable service
through web interface which provides backend access to manage the disks station. The problem occurs in the FTP logging mechanism together with the
admin interface used to view those logs. The FTP console input in the form username and password gets logged in the web application interface.

This problem was confirmed in the following versions of Synology Disk Station, other versions may be also affected.

Synology Disk Station 2.x

Synology issued an update for this vulnerability in the release DSM3.0-1337.

CVSS Scoring System

The CVSS score is: 9.5
Base Score: 10
Temporal Score: 9.5
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:F/RL:U/RC:C

DETAILS

There are four steps for exploitation, specified here together with the identified problem:

    1. The attacker can inject malicious input from the FTP login console. As the authentication credentials are inappropriate the FTP authentication 
    module generates error and the requisite input is logged in to the web interface of the disk station.
    2. Secondly the FTP logging module is not designed appropriately and the content comes from the FTP login console is directly placed into the log 
    window without verification of the Content-Type parameter. The content is allowed to be rendered as HTML, Script etc. An attacker can inject 
    malicious HTML tags, DOM calls, third part y scripts, CSRF calls that gets executed in the context of logged in account which is administering it.
    3. Usually log mechanism is handled by the admin account. The chances of code execution and injection fulfillment are high within full privileges 
    as of administrator. So any code injected by the attacker becomes persistent in most of the cases and remain there for execution. Moreover CSRF 
    code with malicious calls can be executed without user interaction.
    4. Attacker has to be well versed in directory structure of the disk station manager so that injections can be made according to that and further 
    operations can be performed. The FTP servers accept username string upto 80-100 characters which is good enough to craft injections to get the 
    things done The scripts can be inserted from local domain or LAN or third party source to inject arbitrary code.

C:\Users\Administrator>ftp example.com
Connected to example.com.
220 Disk Station FTP server at DiskStation ready.
User (example.com:(none)): "/><script>alert("Check Point VDT"</script>
331 Password required for "/><script>alert("Check Point VDT"</script>
Password:
530 Login incorrect.
Login failed.
ftp> Invalid command.
ftp> bye
421 Timeout (300 seconds): closing control connection.

In order to determine the size of the allowed input string, we can do:

C:\Users\Administrator>ftp example.com
Connected to example.com.
220 Disk Station FTP server at DiskStation ready.
User (example.com:(none)): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> Our input
331 Password required for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. -> The total lenght really used
Password:
530 Login incorrect.
Login failed.
ftp> Invalid command.
ftp> bye
421 Timeout (300 seconds): closing control connection.

CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT) and Aditya
K. Sood from Secniche.

Best Regards,

Rodrigo.


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Related

packetstorm 1
prion 2
cve 2
checkpoint_advisories 2
securityvulns 1
packetstorm
packetstorm
Synology Disk Station Code Execution / Cross Site Request Forgery / Cross Site Scripting
2010-09-28 00:00:00
prion
prion
Cross site scripting
2010-09-29 17:00:00
Code injection
2010-09-29 17:00:00
cve
cve
CVE-2010-2453
2010-09-29 17:00:00
CVE-2010-3684
2010-09-29 17:00:00
checkpoint_advisories
checkpoint_advisories
Update Protection against Synology Disk Station FTP Login Web Commands Injection Vulnerability
2010-09-30 00:00:00
Suspicious Characters in FTP User Name (CVE-2009-0542; CVE-2010-2453)
2010-08-18 00:00:00
securityvulns
securityvulns
Synology Disk Station crossite scripting
2010-09-29 00:00:00
JSON
Related for SECURITYVULNS:DOC:24815
packetstorm1prion2cve2checkpoint_advisories2securityvulns1