Synology NAS “Auto Block IP” bypass and hide real IP in Synology logs

fulldisclosure logo
Full Disclosure
mailing list archives

Synology NAS “Auto Block IP” bypass and hide real IP in Synology logs


From: bashis <mcw () noemail eu>

Date: Tue, 21 Feb 2017 21:02:27 +0000


Greetings,

1. Seems to be possible bypass the default enabled "Auto Block of IP address" functionality in Synologic's NAS by using 
only one single space (\x20) to the HTTP header "X-FORWARDED-FOR"
(If already Auto Blocked, this bypass will _not_ work)

Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 login.cgi: login.c:1039 login.c (1039)Bad 
parameter :''
Bypassing whole function that will Auto Block IP if to many invalid login tries, opens the possibility to brute force 
without being locked out.

2. (1st Choice) "X-FORWARDED-FOR" and (2nd Choice) "CLIENT-IP" in HTTP header can be used to hide real IP from the 
Synology logs.

Example #1 (rhost): /var/log/auth.log: 2017-02-21T20:42:02+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=0.0.0.0  user=admin
Example #2 (rhost): /var/log/auth.log: 2017-02-21T20:46:26+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=Full Disclosure  user=admin

Best, bashis



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


  By Date  
     
  By Thread  

Current thread:

  • Synology NAS “Auto Block IP” bypass and hide real IP in Synology logs bashis (Feb 22)

Source: Full Disclosure @ February 22, 2017 at 09:35AM

0
Share