| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Feb 2017 21:02:27 +0000 From: bashis <mcw@...mail.eu> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Synology NAS "Auto Block IP" bypass and hide real IP in Synology logs Greetings, 1. Seems to be possible bypass the default enabled "Auto Block of IP address" functionality in Synologic's NAS by using only one single space (\x20) to the HTTP header "X-FORWARDED-FOR" (If already Auto Blocked, this bypass will _not_ work) Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 login.cgi: login.c:1039 login.c (1039)Bad parameter :'' Bypassing whole function that will Auto Block IP if to many invalid login tries, opens the possibility to brute force without being locked out. 2. (1st Choice) "X-FORWARDED-FOR" and (2nd Choice) "CLIENT-IP" in HTTP header can be used to hide real IP from the Synology logs. Example #1 (rhost): /var/log/auth.log: 2017-02-21T20:42:02+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=0.0.0.0 user=admin Example #2 (rhost): /var/log/auth.log: 2017-02-21T20:46:26+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=Full Disclosure user=admin Best, bashis _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists