Synology SA-17:17 : Surveillance Station - Path Traversal
%22%20fill=%22%23fff%22%20textLength=%22230%22%3ECVE%3C/text%3E%3Ctext%20x=%221015%22%20y=%22140%22%20transform=%22scale(.1)%22%20fill=%22%23fff%22%20textLength=%22950%22%3ECVE-2017-16770%3C/text%3E%3C/g%3E%3C/svg%3E){kind=small}
%22%20fill=%22%23fff%22%20textLength=%22510%22%3ESynology%3C/text%3E%3Ctext%20x=%221085%22%20y=%22140%22%20transform=%22scale(.1)%22%20fill=%22%23fff%22%20textLength=%22530%22%3ESA-17:77%3C/text%3E%3C/g%3E%3C/svg%3E){kind=small}
%22%20fill=%22%23fff%22%20textLength=%22250%22%3EDSM%3C/text%3E%3Ctext%20x=%22905%22%20y=%22140%22%20transform=%22scale(.1)%22%20fill=%22%23fff%22%20textLength=%22690%22%3E6.1-6.2%20beta%3C/text%3E%3C/g%3E%3C/svg%3E){kind=small}
Impact
An authenticated user with access to Surveillance Station service can access pictures on the whole system.
The impact is limited to picture files.
Proof of Concept
You can easily reproduce this bug by following these steps.
First, we need an account with no permissions to folders and access to the Surveillance Station application.
On another account (I use the “synology” account on the demo server) we need to put a picture with default rights.
The vulnerability is present in the user’s profile picture for the Surveillance Station app.
The “filename” parameter allows the attacker to read the pictures in the parent directory.
For example, the following link allows getting the “test.jpg” picture in Synology’s private folder.
We can also see a full path disclosure on this picture.
Remediation
To fix the vulnerability, you have to verify the file access right before serving it.
You can also limit the Surveillance Station profile picture to the good folder.