This is the second part to my findings for the Synology DiskStation
In this report, I was digging into a Synology DiskStation 216+II running firmware version 6.1-15047. This is an older version of the OS as these findings are almost a year old and while fixed for some time, this posting (and others pending) is way overdue because I have just been too busy.
Blind Operating System Command Injection
This vulnerability impacted two different operating systems, the Synology Router Manager (SRM) and the Disk Station Manager (DSM).
These are some of my favorite vulnerabilities to find because they provide the equivalent of a remote shell when chained with a XSS attack. Finding these issues can be challenging, which is another reason they are fun to explore. A command injection, through manipulating a parameter sent to a web server, will run a command on the underlying operating system like “cat /etc/shadow” to retrieve to passwords on the system. In a command injection attack such as the prior “cat” command, the web server’s response would return with the contents of the shadow file. In a blind command injection, while the OS command is run, the response does not return the output from the command. This makes it much more difficult to find since a successful attack does not reflect any information in the response message.
If ssh is available, I like to use to find blind command injections by running tests with command variants of “touch tempXYZ” where XYZ is a unique number for each different injection. If there is a blind OS command injection, this will create a file on the system with the name tempXYZ that can be found in the ssh session by searching for the file. Additionally, the file shows the system user and thus permissions of the process that executed the injection creating the file (bonus points if it is root).
In the Synology EZ-Internet Wizard, the NAS can establish a PPPoE connection. For these CVEs, the Username field was vulnerable to a blind command injection.
Here is a screen capture of the message being sent to the device with the command to create a file temp128. The command injection is added on to the username parameter. The injection attack added is URL encoded as “%26%60touch%20temp128%60” which decodes as “&`touch temp128`”
A screen capture from Burp Suite of the message sent to the NAS setting the PPPoE username field. The highlighted field shows the command injection which will run “touch temp128“. This command will create a file named temp128.
From an SSH session into the device so we can see the result of the attack; the file “temp128” (and a few others as I was playing) was created. Because the file owner is root, we know the OS command was run with root privileges.
The file temp128 was created in the base directory by the user root; this means all command injections through this vector are being run as root. This attack requires system administrative access to the system to exploit but is a nice step in a chain of vulnerabilities to exploit a system.
While this attack can only be run with admin privileges on the system, and attacker can use this in an attack chain to run commands on the system with root privilege.
Working with Synology
When I reported these issues, Synology responded to my report in under 24 hours that they were able to reproduce most of my findings, following up shortly that they reproduced the remaining. Their responses were very quick, timely and were a pleasure to work with. The delay in reporting the information is my fault.
This research was conducted on my own time, on my personally owned hardware and is in no way connected with my employer.