Greetings, 1. Seems to be possible bypass the default enabled "Auto Block of IP address" functionality in Synologic's NAS by using only one single space (\x20) to the HTTP header "X-FORWARDED-FOR" (If already Auto Blocked, this bypass will _not_ work)
Generates in /var/log/messages: 2017-02-21T20:39:13+02:00 VirtualDSM_8451 login.cgi: login.c:1039 login.c (1039)Bad parameter :'' Bypassing whole function that will Auto Block IP if to many invalid login tries, opens the possibility to brute force without being locked out. 2. (1st Choice) "X-FORWARDED-FOR" and (2nd Choice) "CLIENT-IP" in HTTP header can be used to hide real IP from the Synology logs. Example #1 (rhost): /var/log/auth.log: 2017-02-21T20:42:02+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=0.0.0.0 user=admin Example #2 (rhost): /var/log/auth.log: 2017-02-21T20:46:26+02:00 VirtualDSM_8451 synocgid: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=Full Disclosure user=admin Best, bashis _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
