Synology Router Manager Reflected XSS
Description
The Synology Router Manager (SRM) web portal contains a DOM based reflected XSS vulnerability. The SRM web portal is used by multiple Synology routers. The vulnerability allows a malicious user to run JavaScript code in the context of the victim's browser, if the victim clicks a crafted URL. The JavaScript code can use the functionalities of the Web Portal, for example, it is possible to create a new user, enable the SSH Service, and relax the firewall settings. Such crafted JavaScript code can be delivered through e.g., a watering hole attack by framing the site as this is allowed by default in the SRM configuration.
WithSecure identified the vulnerability in the Synology RT6600ax router, and notified Synology of this issue on the 5th of December 2022.
Synology provided a patch for the vulnerability was released on 2023-07-27 in the SRM version 1.3.1-9346 Update 6.
Details
An authenticated user who opens the Web Portal front page through a URL containing the from parameter is redirected to the given value. The portal does not sufficiently validate the from parameter, which makes the page vulnerable to Open Redirection and Cross-Site Scripting.
WithSecure used this behaviour to redirect authenticated users to other domains and to execute JavaScript in the user's browser. The client-side JavaScript code that sets the window.location is in the file /usr/syno/synoman/webman/desktop.js and from the perspective of the web portal, at location /webman/desktop.js.
The vulnerable part of the code is copied below:
SYNO.SDS.init=function(){
var l=Ext.urlDecode(location.search.substr(1)),
b=l.launchApp,
k=l.launchParam,
i=l.jsDebug,
e=l.report,
c=SYNO.SDS.Session.rewriteApp,
j=Ext.id(),
h,
a;
if(Ext.isDefined(e)){
window.location=Ext.urlAppend("/dar/"+e);
return
}
if(Ext.isDefined(l.from)){
window.location=Ext.urlAppend(l.from);
return
}
...
}
DOM based Cross-Site Scripting (DOM XSS) attacks are part of the input validation vulnerabilities category. The root cause is insufficient browser-side validation of user-supplied input.
For additional information about Input Validation and DOM XSS Attacks, refer to the following:
- CWE-20: Improper Input Validation
- OWASP Input Validation Cheat Sheet
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- DOM based XSS Prevention Cheat Sheet
Proof of Concept
1. Login to the web portal
2. Open a new tab in the same browser window
3. Open the following link in the new tab
http://localhost:8000/webman/index.cgi?from=javascript:alert(document.domain);//
4. XSS executes
Remediation
Synology released Synology Router Manager (SRM) 1.3.1-9346 Update 6 on 27th of July 2023. This update mitigates the XSS vulnerability.