[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Synology NAS "Auto Block IP" bypass and hide real IP in Synology logs

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Synology NAS "Auto Block IP" bypass and hide real IP in Synology logs
From: bashis <mcw@xxxxxxxxxx>
Date: Tue, 21 Feb 2017 21:02:27 +0000

Greetings,

1. Seems to be possible bypass the default enabled "Auto Block of IP address" 
functionality in Synologic's NAS by using only one single space (\x20) to the 
HTTP header "X-FORWARDED-FOR"
(If already Auto Blocked, this bypass will _not_ work)

Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 
login.cgi: login.c:1039 login.c (1039)Bad parameter :''
Bypassing whole function that will Auto Block IP if to many invalid login 
tries, opens the possibility to brute force without being locked out.

2. (1st Choice) "X-FORWARDED-FOR" and (2nd Choice) "CLIENT-IP" in HTTP header 
can be used to hide real IP from the Synology logs.

Example #1 (rhost): /var/log/auth.log: 2017-02-21T20:42:02+02:00 
VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; 
logname= uid=0 euid=0 tty= ruser= rhost=0.0.0.0  user=admin
Example #2 (rhost): /var/log/auth.log: 2017-02-21T20:46:26+02:00 
VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; 
logname= uid=0 euid=0 tty= ruser= rhost=Full Disclosure  user=admin

Best, bashis



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
Next by Date: [FD] EasyCom PHP API Stack Buffer Overflow
Previous by thread: [FD] ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
Next by thread: [FD] EasyCom PHP API Stack Buffer Overflow
Index(es):
- Date
- Thread