My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Let's Finally "Nail" This Port 5000 Traffic - Synology owners needed.

Published: 2014-03-26. Last Updated: 2014-03-26 15:20:18 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We have written a couple diaries about port 5000 traffic, and received plenty of packet captures. But we still need to get all the pieces together to see what the "end game" is with these attacks. Here is what I found so far from our honeypot:

- a lot of the port 5000 traffic is spoofed.

I do receive "SYNs" from an IP, and my honeypot responds with a SYN-ACK, but then I get a reset back with a very different TTL.

- the once that connect, send a couple different requests (a.b.c.d is the address of the honey pot)

GET / HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET /robots.txt HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET / HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET /webman/info.cgi?host= HTTP/1.0
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
 
GET /webman/info.cgi?host= HTTP/1.0
Host: a.b.c.d:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
The last two requests point to a Synology vulnerability. But, just like the others, it appears to be more a "Fingerprinting" request trying to figure out if the system is vulnerable.
 
If you have a Synology Diskstation, I would very much appreciate if you could send these requests to the disk station, and send me a packet capture of the response. This way, I can improve my honeypot to respond "correctly". Please let me know what software version you are running.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: port 5000 synology
6 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Don't have access to my synology unit at the moment, but if I had to guess it has to do with:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987

http://www.synology.com/en-global/company/news/article/437
Im going to try to get to this today, but Im quickly running out of time.

I can say that there's a new sinology update available this week (version 5).
Do you want the PCAP files or a plain text dump and how do you want it sent?
These captures are taken from a RS2212+ running DSM 4.2-3211. I'd be more than pleased to provide other samples as needed.

johnf@johnf-T420s:~$ nc -v 1.1.1.1 5000
Connection to 1.1.1.1 5000 port [tcp/*] succeeded!
GET /webman/info.cgi?host= HTTP/1.0
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36

HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 21:57:43 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.1e-fips
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset="UTF-8"

<html> <script type='text/javascript'>parent.location = '#major=4&minor=2&build=3211&junior=0&unique=synology_cedarview_rs2212+&sn=D4LFN00210'</script> </html>johnf@johnf-T420s:~$ nc -v 1.1.1.1 5000
Connection to 1.1.1.1 5000 port [tcp/*] succeeded!
GET /webman/info.cgi?host= HTTP/1.0
Host: 1.1.1.1
bUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 21:58:09 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.1e-fips
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset="UTF-8"

<html> <script type='text/javascript'>parent.location = '#major=4&minor=2&build=3211&junior=0&unique=synology_cedarview_rs2212+&sn=D4LFN00210'</script> </html>johnf@johnf-T420s:~$
I was just playing with this a bit from a browser using Tamper Data (on a DS212j with DSM v4) and discovered that if you specify a valid URL in the "host=" parameter (I used //google.com) the Synology does a re-direct to that address.

I guess you could use it (maliciously) to spoof the origin address for attacks? It might be able to bypass IP-based security rules on the LAN or just provide a way to hide if you were after an internet address (and the Synology has access).

I didn't do any packet captures yet (I was just "noodling about") let me know if you want one and I'll try and pull it together.

P.S. On a DS211j with DSM v3 I just get a Synology "page not found" when I specify the host.

Edit:
Just realized that the re-direct is a browser thing so the origin IP shoudl not change ... it's still something strange though ...
It's worth reading Symantec link

http://www.symantec.com/connect/blogs/rise-5000tcp-scanning-highlights-synology-appliance-vulnerabilities

Diary Archives