If the attacker could inject malicious code into the Job_ExecuteBefore or Job_ExecuteAfter settings, they could execute any code of their choice before or after the targeted backup task. Additionally, the software was found to have multiple other remote code execution vulnerabilities at post_settings.php, post_images.php, post_server_defs.php, post_servers.php, post_tasks.php, and post_tasks_types.php. An attacker only needs to upload a single malicious backup file to cause a serious impact. In the case of Syncovery 9, this could result in complete data theft. The default installation of Syncovery 9 on Linux creates the following user account: root:x:501:

First, we recommend changing this password to something more unique. Second, we recommend changing the “Syncovery” user account to something more specific. Third, we recommend changing the “/app/” directory to something more secure. Fourth, we recommend changing the “/app/storage” directory to something more secure. Finally, we recommend changing the “/app/syncovery” directory to something more secure.

Job_Priority

If the attacker could execute code by modifying Job_Priority, they would be able to change the backup task order. They would also be able to increase the backup speed in the Backup tab of Settings. Additionally, they could disable all backups completely with a simple change to the Job_ExecuteBefore or Job_ExecuteAfter settings.

Timeline

Published on: 09/16/2022 03:15:00 UTC
Last modified on: 09/17/2022 02:30:00 UTC

References