CVE-2017-15889
published 2017-12-04CVE-2017-15889: Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary…
PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
72.45%
99.4th percentile
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | diskstation_manager | < 5.2-5967-5 | 5.2-5967-5 |
| synology | diskstation_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to webman/modules/StorageManager/smart.cgi with a 'disk' parameter containing backtick-enclosed command injection patterns (e.g., /dev/sd`...`). ↗
- →Look for POST requests to smart.cgi with action=apply&operation=quick and a disk field value that does not match a standard /dev/sdX device name. ↗
- →Detect the X-SYNO-TOKEN header in POST requests to smart.cgi, which indicates authenticated exploitation attempts against this endpoint. ↗
- →Alert on creation of or access to the file /a on Synology DSM hosts, used as a wget input staging file during exploitation. ↗
- →Alert on login.cgi requests with enable_syno_token=yes query parameter followed shortly by POST requests to smart.cgi — this sequence is characteristic of the exploit chain. ↗
- →Flag DSM versions earlier than 5.2-5967-5 (including 3.0, 4.x, 5.0, 5.1, and 5.2 builds below 5967-5) as vulnerable during asset inventory. ↗
- ·The disk parameter in smart.cgi is limited to 30 characters, so the exploit stages commands via echo into /a and then uses wget to fetch and execute a payload — detection rules must account for multi-step injection rather than a single large payload. ↗
- ·Exploitation requires prior authentication (remote authenticated users); unauthenticated access to smart.cgi alone is not sufficient to trigger the vulnerability. ↗
- ·The Metasploit module uses a WfsDelay of 10 seconds to allow payload download and execution; network-based detections should account for this delayed callback pattern. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)
exploitdb·2020-05-25
CVE-2017-15889 Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)
Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule \d+)&minor=(?\d+)&build=(?\d+)
&junior=\d+&unique=synology_\w+_(?[^&]+)/x.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Synology DiskStation Manager smart.cgi Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions
[
'Nigusu Kassahun', # Discovery
'h00die' # metasploit module
],
'References' =>
[
[ 'CVE', '2017-15889' ],
[ 'EDB', '43190' ],
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-exec
Metasploit
Synology DiskStation Manager smart.cgi Remote Command Execution
metasploit
Synology DiskStation Manager smart.cgi Remote Command Execution
Synology DiskStation Manager smart.cgi Remote Command Execution
This module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions < 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it doesn't exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157807/Synology-DiskStation-Manager-smart.cgi-Remote-Command-Execution.htmlhttps://www.synology.com/en-global/support/security/Synology_SA_17_65_DSMhttp://packetstormsecurity.com/files/157807/Synology-DiskStation-Manager-smart.cgi-Remote-Command-Execution.htmlhttps://www.synology.com/en-global/support/security/Synology_SA_17_65_DSM
2017-12-04
Published