CVE-2017-9552 - Improper Authentication

Severity

21%

Complexity

39%

Confidentiality

48%

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".

CVSS 3.0 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 2.1. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Improper Authentication

CWE-287

The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.


               
}

                     
}
ExitError("Error: you need to log in first");

                           

                              
);
);
DoAdministratorTasks();

Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:


               
[body of request]

By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software.

Improper Authentication

CWE-287

Overview

Type

Synology Photo Station

First reported 7 years ago

2017-06-13 13:29:00

Last updated 5 years ago

2019-10-09 23:30:00

Affected Software

Synology Photo Station 6.0-2636

6.0-2636

Synology Photo Station 6.0-2638

6.0-2638

Synology Photo Station 6.0-2639

6.0-2639

Synology Photo Station 6.0-2640

6.0-2640

Synology Photo Station 6.3-2944

6.3-2944

Synology Photo Station 6.3-2958

6.3-2958

Synology Photo Station 6.3-2960

6.3-2960

Synology Photo Station 6.3-2962

6.3-2962

Synology Photo Station 6.3-2963

6.3-2963

Synology Photo Station 6.3-2964

6.3-2964

Synology Photo Station 6.3-2965

6.3-2965

Synology Photo Station 6.4-3166

6.4-3166

Synology Photo Station 6.5.0-3218

6.5.0-3218

Synology Photo Station 6.5.1-3223

6.5.1-3223

Synology Photo Station 6.5.2-3225

6.5.2-3225

Synology Photo Station 6.5.3-3226

6.5.3-3226

Synology Photo Station 6.6.0-3339

6.6.0-3339

Synology Photo Station 6.6.1-3345

6.6.1-3345

Synology Photo Station 6.6.2-3346

6.6.2-3346

Synology Photo Station 6.6.3-3347

6.6.3-3347

Synology Photo Station 6.7.0-3414

6.7.0-3414

Synology Photo Station 6.7.1-3419

6.7.1-3419

References

http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html

Issue Tracking, Third Party Advisory

https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.