Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.
Synology DiskStation Manager (DSM) versions prior to 4.3-3810 Update 3 are vulnerable to multiple directory traversal flaws, allowing remote attackers to gain unauthorized access to the file system. Successful exploitation enables attackers to read, write, and delete arbitrary files, potentially leading to complete system compromise and data exfiltration.
Step 1: Target Identification: Identify a vulnerable Synology DSM instance running a version prior to 4.3-3810 Update 3.
Step 2: Payload Delivery: Craft a malicious HTTP request targeting one of the vulnerable CGI scripts (e.g., file_delete.cgi, file_share.cgi). The request includes a crafted parameter (e.g., path or folder_path) containing a directory traversal payload, such as ../../../../etc/passwd.
Step 3: Server-Side Processing: The vulnerable CGI script receives the malicious request and attempts to process the file operation (e.g., delete, share, download) using the provided path.
Step 4: Path Resolution Failure: Due to the lack of proper input validation, the server fails to sanitize the malicious path. The .. sequences are interpreted by the file system.
Step 5: Unauthorized Access: The file system resolves the manipulated path, leading to the access of a file outside the intended directory. This could be reading sensitive files (e.g., /etc/passwd), writing malicious files (e.g., web shells), or deleting critical system files.
Step 6: Exploitation Outcome: The attacker successfully reads, writes, or deletes arbitrary files, depending on the chosen payload and the script's functionality. This can lead to information disclosure, remote code execution, or denial of service.
The vulnerability stems from insufficient input validation in the FileBrowser components of Synology DSM. Specifically, the affected CGI scripts (file_delete.cgi, file_share.cgi, fbdownload/, html5_upload.cgi, file_download.cgi, file_sharing.cgi, file_MVCP.cgi, and file_rename.cgi) fail to properly sanitize user-supplied input, particularly the path or folder_path parameters. By injecting .. (dot-dot) sequences into these parameters, an attacker can manipulate the file paths used by the application. This allows the attacker to navigate outside the intended directory structure and access, modify, or delete files in arbitrary locations on the server's file system. The root cause is a lack of proper path normalization and validation before accessing files, leading to a classic directory traversal vulnerability. The absence of robust input sanitization allows the malicious path to be constructed and interpreted by the file system operations, leading to the unauthorized file access.