Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2013-6955 Synology DSM remote code execution

From: tiamat451 () gmail com
Date: Tue, 25 Mar 2014 15:18:25 GMT
Products Affected By CVE-2013-6955
Diskstation Manager 
4.0
4.2                             
4.3             4.3-3810                                 
Vendor: Synology
Status: Patched

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 
4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, 
via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. 

http://www.synology.com/en-global/company/news/article/437

February 14, 2014—Synology® confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would 
cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released 
accordingly.

The followings are possible symptoms to appear on affected DiskStation and RackStation:

    Exceptionally high CPU usage detected in Resource Monitor:
    CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any 
processes with PWNED in their names
    Appearance of non-Synology folder:
    An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path 
of “/root/PWNED”
    Redirection of the Web Station:
    “Index.php” is redirected to an unexpected page
    Appearance of non-Synology CGI program:
    Files with meaningless names exist under the path of “/usr/syno/synoman”
    Appearance of non-Synology script file:
    Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”

If users identify any of above situation, they are strongly encouraged to do the following:

    For DiskStation or RackStation running on DSM 4.3, please follow the instruction here 
(http://www.synology.com/en-global/support/faq/348) to REINSTALL DSM 4.3-3827.
    For DiskStation or RackStation running on DSM 4.0, it’s recommended to REINSTALL DSM 4.0-2259 or onward from 
Synology Download Center.
    For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it’s recommended to REINSTALL DSM 4.2-3243 or onward 
from Synology Download Center (http://www.synology.com/en-global/support/download).

Confidentiality Impact  Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact        Complete (There is a total compromise of system integrity. There is a complete loss of system 
protection, resulting in the entire system being compromised.)
Availability Impact     Complete (There is a total shutdown of the affected resource. The attacker can render the 
resource completely unavailable.)
Access Complexity       Low (Specialized access conditions or extenuating circumstances do not exist. Very little 
knowledge or skill is required to exploit. )
Authentication  Not required (Authentication is not required to exploit the vulnerability.)
Gained Access   None
Vulnerability Type(s)   Execute Code

This is also known as the /PWNED or /lolz hack.
Previous By Date Next
Previous By Thread Next

Current thread: