CVE-2013-6955
published 2014-01-09CVE-2013-6955: webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
84.57%
99.7th percentile
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | diskstation_manager | — | — |
| synology | diskstation_manager | — | — |
| synology | diskstation_manager | — | — |
| synology | diskstation_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /webman/imageSelector.cgi containing the custom HTTP headers X-TYPE-NAME: SLICEUPLOAD and X-TMP-FILE with a file path — this is the exploit trigger. ↗
- →Alert on any HTTP response from /webman/imageSelector.cgi containing 'error_noprivilege' in the body following a SLICEUPLOAD POST — the exploit module treats this as a success indicator. ↗
- →Monitor for a subsequent GET request to /redirect.cgi immediately after a POST to /webman/imageSelector.cgi — this two-stage pattern (write then invoke) is the exploitation sequence. ↗
- →Check GET requests to /webman/info.cgi?host= (empty host parameter) on port 5000 — this is the pre-exploitation version fingerprinting step used by the Metasploit module. ↗
- →The exploit targets DSM on TCP port 5000 by default; monitor for the above suspicious request patterns specifically on that port. ↗
- ·The 4.1 branch of Synology DSM is confirmed vulnerable but has no official patch — fixed versions only cover 4.0-2259, 4.2-3243, and 4.3-3810 Update 1. ↗
- ·The vulnerability is exploitable by completely unauthenticated remote attackers — no credentials are required to trigger the SLICEUPLOAD file-append primitive. ↗
- ·Successful exploitation results in arbitrary command execution under root privileges, not just file write. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)
exploitdb·2013-12-24
CVE-2013-6955 Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)
Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)
---
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 \d+)&minor=(?\d+)&build=(?\d+)
&junior=\d+&unique=synology_\w+_(?[^&]+)/x
def initialize(info={})
super(update_info(info,
'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
'Description' => %q{
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions 4.x, which allows the execution of arbitrary commands under root
privileges.
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
arbitrary data to a given file using a so called SLICEUPLOAD fu
Metasploit
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
metasploit
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
This module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulne
2014-01-09
Published