search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.37k stars 2.66k forks source link

CVE-2024-1709 #9185

Closed hhhharshil closed 9 months ago

hhhharshil commented 9 months ago

Template Information:

This is a template to detect vulnerable instances of screenconnect per https://www.cvedetails.com/cve/CVE-2024-1709/

Nuclei Template:

id: CVE-2024-1709
info:
  name: ConnectWise ScreenConnect Auth Bypass via Alternate Path or Channel
  author: hhhharshil
  severity: high
  reference:
    - https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
    - https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 10
    cve-id: CVE-2024-1709
    cwe-id: CWE-288
    cpe: cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*
  metadata:
    vendor: connectwise
    product: screenconnect
    max-request: 1
  tags: screenconnect,connectwise

http:
  - method: GET
    path:
      - "{{BaseURL}}/SetupWizard.aspx/zzzzzz"
    matchers:
      - type: status
        status:
          - 500
      - type: regex
        regex:
          - "ScreenConnect"
    extractors:
      - type: kval
        part: header
        kval:
          - Server

This template is a bit more accurate as vulnerable instances would return a 500 if SetupWizard.aspx is requested I tested this against both patched and unpatched instances by using results from the shodan queries.

Patched instances: https://www.shodan.io/search?query=Server%3A+ScreenConnect%2F23.9.8.8811

Unpatched: https://www.shodan.io/search?query=Server%3A+ScreenConnect+-%22ScreenConnect%2F23.9.8.8811%22

DhiyaneshGeek commented 9 months ago

Hi @hhhharshil we already have a template for this http/misconfiguration/screenconnect-authentication-bypass.yaml

so we are closing this issue

Thanks

hhhharshil commented 9 months ago

@DhiyaneshGeek hi I understand that however there might be some issues with that template it is looking for a 200 response code to be returned when the path /SetupWizard.aspx/{whatever-you-want} is hit this wouldn't accurately detect the vulnerability. Vulnerable instances actually respond with a 500 from some testing that I have done. This route actually doesnt even exist on patched versions too

DhiyaneshGeek commented 9 months ago

@hhhharshil feel free to update the existing template and raise a PR.

You can also join our discord server and DM me with more details about this

Thanks

sec13b commented 9 months ago

404 - page not found

DhiyaneshGeek commented 9 months ago

Hi @sec13b The vulnerability has been assigned a CVE, so we have moved here http/cves/2024/CVE-2024-1709.yaml

sec13b commented 9 months ago

thank you.