lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <35034271-5B20-4584-BD38-8282366A90A0@noemail.eu>
Date: Tue, 21 Feb 2017 21:02:27 +0000
From: bashis <mcw@...mail.eu>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Synology NAS "Auto Block IP" bypass and hide real IP in
	Synology logs

Greetings,

1. Seems to be possible bypass the default enabled "Auto Block of IP address" functionality in Synologic's NAS by using only one single space (\x20) to the HTTP header "X-FORWARDED-FOR"
(If already Auto Blocked, this bypass will _not_ work)

Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 login.cgi: login.c:1039 login.c (1039)Bad parameter :''
Bypassing whole function that will Auto Block IP if to many invalid login tries, opens the possibility to brute force without being locked out.

2. (1st Choice) "X-FORWARDED-FOR" and (2nd Choice) "CLIENT-IP" in HTTP header can be used to hide real IP from the Synology logs.

Example #1 (rhost): /var/log/auth.log: 2017-02-21T20:42:02+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=0.0.0.0  user=admin
Example #2 (rhost): /var/log/auth.log: 2017-02-21T20:46:26+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=Full Disclosure  user=admin

Best, bashis



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ