Metasploit modules that can be used to exploit Synology » Diskstation Manager
-
Sudo Heap-Based Buffer Overflow
Disclosure Date: 2021-01-26First seen: 2021-03-12exploit/linux/local/sudo_baron_sameditA heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo. Authors: - Qualys - Spencer McIntyre - bwatters-r7 - smashery - blasty <blasty@fail0verflow.com> - worawit - Alexander Krog -
Synology DiskStation Manager smart.cgi Remote Command Execution
Disclosure Date: 2017-11-08First seen: 2020-05-22exploit/linux/http/synology_dsm_smart_exec_authThis module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions < 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it doesn't exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run. Authors: - Nigusu Kassahun - h00die -
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Disclosure Date: 2013-10-31First seen: 2020-04-26exploit/linux/http/synology_dsm_sliceupload_exec_noauthThis module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. Authors: - Markus Wulftange -
Synology Forget Password User Enumeration Scanner
Disclosure Date: 2011-01-05First seen: 2020-05-22auxiliary/scanner/http/synology_forget_passwd_user_enumThis module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to get a permanent block. Set delay accordingly to avoid this, as default is permanent. Vulnerable DSMs are: DSM 6.1 < 6.1.3-15152 DSM 6.0 < 6.0.3-8754-4 DSM 5.2 < 5.2-5967-04 Authors: - h00die - Steve Kaun
4 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details