lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201403251518.s2PFIPc7031756@sf01web2.securityfocus.com>
Date: Tue, 25 Mar 2014 15:18:25 GMT
From: tiamat451@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2013-6955 Synology DSM remote code execution

Products Affected By CVE-2013-6955
Diskstation Manager 
4.0
4.2 				
4.3		4.3-3810 				 
Vendor: Synology
Status: Patched

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. 

http://www.synology.com/en-global/company/news/article/437

February 14, 2014—Synology® confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released accordingly.

The followings are possible symptoms to appear on affected DiskStation and RackStation:

    Exceptionally high CPU usage detected in Resource Monitor:
    CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
    Appearance of non-Synology folder:
    An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”
    Redirection of the Web Station:
    “Index.php” is redirected to an unexpected page
    Appearance of non-Synology CGI program:
    Files with meaningless names exist under the path of “/usr/syno/synoman”
    Appearance of non-Synology script file:
    Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”

If users identify any of above situation, they are strongly encouraged to do the following:

    For DiskStation or RackStation running on DSM 4.3, please follow the instruction here (http://www.synology.com/en-global/support/faq/348) to REINSTALL DSM 4.3-3827.
    For DiskStation or RackStation running on DSM 4.0, it’s recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center.
    For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it’s recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center (http://www.synology.com/en-global/support/download).

Confidentiality Impact 	Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact 	Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)
Availability Impact 	Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)
Access Complexity 	Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication 	Not required (Authentication is not required to exploit the vulnerability.)
Gained Access 	None
Vulnerability Type(s) 	Execute Code

This is also known as the /PWNED or /lolz hack.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ