... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007
Dark Theme

SSD Advisory – Synology PhotoStation Unauthenticated SQL Injection and Arbitrary File Injection to RCE

Vulnerabilities Summary
The following advisory describes two vulnerabilities found in Synology PhotoStation, an unauthenticated SQL injection combined with an authenticated arbitrary file writing with partially controlled data vulnerabilities which leads to remote code execution.

CVE-2019-11821 and CVE-2019-11822

Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems

Product Severity Fixed Release Availability
Photo Station 6.8 Important Upgrade to 6.8.11-3489 or above.
Photo Station 6.3 Important Upgrade to 6.3-2977 or above.

Vendor Response
“We have updated the acknowledgments page. If you have any questions, please do not hesitate to contact us.”


Vulnerability Details
PhotoStation is a package on Synology’s NAS (Network Attached Storage). PhotoStation creates a website '/photo/' and a database under their default web root.

First Vulnerability – Unauthenticated SQL Injection
PhotoStation’s website is exposed to the internet by default. The parameter type of the functiongetExifList in include/photo/synophoto_csPhotoDB.phpis used to create a SQL query.

$query = 'SELECT DISTINCT '.$type.' FROM photo_image ORDER BY ' .$type;

The query is executed in ListExif function inside webapi/photo.php.

We can exploit this vulnerability in order to to select/insert/delete/edit any data in the database. This will cause a remote code execution if combined with another vulnerability.

Second Vulnerability – Arbitrary File Writing with Partially Controlled Content
In order to exploit this vulnerability, the following requirements are needed:
* Access to PhotoStation website
* Having file upload permission.
* If the guest uploading is enabled, the vulnerability can be triggered without being logged in (Unauthenticated)
* If the personal PhotoStation is enabled, a normal user can trigger the vulnerability.
* If there is a XSS vulnerability, we can attack users with upload permission and trigger an upload
* Any user with file upload permissions that visits a malicious website, can be attacked because PhotoStation does not have a protection from Cross Site Request Forgery.

The SYNOPHOTO_AJAX_HANDLER_DoFaceRecognition of ajax_handler.phpuses "/tmp/synophoto_facerecog.".$_POST['prog_id']; to log the process. However, prog_id is user controlled data, which means that the attacker can control the process log’s path. The log content will contain the image name that we want to process. We can exploit it by uploading the log file under the webroot and control the filename and upload a php script.

Any arbitrary SQL statement can create an admin privileged user, which means that by using the first SQL injection vulnerability, we can always create a user with file uploading permissions, and then trigger the second vulnerability in order to achieve remote code execution.

This exploit trigger the two vulnerabilities and creates a web shell.

Print Friendly, PDF & Email

Leave a Reply