SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

Vulnerabilities Summary
The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).

  1. Cross-site scripting stored in SWF file
  2. Cross-site scripting stored in Video Station application

Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Repeated emails (support@cynology.com) sent to the vendor, since March, were answered with unclear answers:
“Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it’s been logged as a known issue now.
So, your report to us is highly appreciated and we thank you very much for your help!”
On August 11, 2017 we received an email from Synology with a link to the patch they released.
For more information: https://www.synology.com/en-global/support/security/Synology_SA_17_39_Video_Station

Vulnerabilities Details
Cross-site scripting stored in SWF file
When a user use the “Open in a new window” function on SEF file, the DiskStation Manager operating system render the file and execute the content automatically. An attacker can upload malicious SWF file to trigger the XSS vulnerability.
Proof of Concept

  1. Sign in to Synology
  2. Open File Station (We chose the folder where we want to upload the malicious file.)
  3. Right click > Load in home > Load – Skip
  4. Select the *.swf file (which you want to upload)
  5. After you have uploaded the file, right click and “Open in a new window”
  6. The XSS has been executed correctly.

Cross-site scripting stored in Video Station application
Video Station application installed by default in DiskStation Manager operating system. By insert malicious script into “Title” tab that can be found in “Video Information” an attacker can trigger the XSS vulnerability.
Proof of Concept

  1. Go to Video Station
  2. Select a video > Choose “…”
  3. Click on “Edit Video Information”
  4. In the “Title” option, insert the following payload:
    Stored_XSS"><img src=x onerror=prompt(document.domain);> > Save</li>
    
  5. Click again on “…”
  6. Choose the option “Shared public use”
  7. Click on checkbox > Go to link
  8. The XSS has been executed correctly.