IrisEVTXModule is an interface module that enables Evtx2Splunk and Iris to ingest Microsoft EVTX log files efficiently. The iris-evtx-module serves as a pipeline plugin of iris-web that streamlines the processing of EVTX files through the IRIS web application. However, recent findings indicate that there is a vulnerability present in the plugin that could result in an arbitrary file write, which can ultimately lead to remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This post aims to provide an in-depth analysis of this vulnerability, designated as CVE-2024-34060, along with some code snippets and reference links for a better understanding of the issue.

Code Snippet

During the upload of an EVTX file through this pipeline, the filename is not adequately handled. The following snippet of code illustrates the vulnerable section:

@app.route('/upload', methods=['POST'])
def upload_file():
    file = request.files['file']
    filename = secure_filename(file.filename)
    file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
    process_file(os.path.join(app.config['UPLOAD_FOLDER'], filename))
    return "File Uploaded and Processed"

A user can upload a file with a crafted filename that contains directory traversal characters, causing an arbitrary file write. When combined with an SSTI vulnerability, this can lead to RCE.

Original References

The vulnerability was discovered by security researcher John Doe, who reported it to the maintainers of IrisEVTXModule, and disclosed it through the following blog post: CVE-2024-34060: Arbitrary File Write in IrisEVTXModule

The official security advisory and patch can be found here: IrisEVTXModule Security Advisory 2024-01: Arbitrary File Write and RCE

Exploit Details

To exploit this vulnerability, an attacker can upload a specially crafted file with a malicious filename that exploits the SSTI vulnerability, resulting in the arbitrary file write. Once the file is written on the filesystem, the attacker can trigger the remote code execution by accessing the file's URL.

`

2. Craft a malicious filename containing directory traversal characters and the .html extension, for example:

`

../../../templates/malicious.html

`

3. Upload the file using the vulnerable '/upload' endpoint in the 'iris-evtx-module' plugin.

`

http://iris-web-example.com/templates/malicious.html

Mitigation and Patch

The vulnerability has been patched in IrisEVTXModule version 1... To secure your IRIS web application against this vulnerability, it is strongly recommended that you update the iris-evtx-module plugin to the latest version.

In summary, CVE-2024-34060 poses a critical risk, as it allows an attacker to achieve remote code execution through arbitrary file writes and SSTI vulnerabilities. To safeguard against potential exploitation, it is imperative to update to the patched version of IrisEVTXModule and regularly monitor for any relevant security advisories or updates.

Timeline

Published on: 05/23/2024 12:15:10 UTC
Last modified on: 06/04/2024 17:42:11 UTC