PoC Exploit Released For Critical Flowmon Vulnerability
Development addressed a famous vulnerability closing week, which became linked to an unauthenticated Verbalize injection on the Development Flowmon product.
This vulnerability became assigned CVE-2024-2189, and the severity became given as 10.0 (Crucial).
Development Flowmon is a network monitoring and evaluation tool that gathers insights about network traffic, efficiency, and security. Its Internet application makes spend of a Nette PHP framework.
Nonetheless, Development launched a security advisory for patching this vulnerability, urging all users to patch them accordingly.
To showcase the vulnerability and exploitation extra, a proof-of-belief for this vulnerability has been printed.
Crucial Flowmon Vulnerability
The researchers enumerated unauthenticated endpoints specified in the “AllowedModulesDecider.php” file, which consisted of an array named “ALLOWED_TO_UNLOGGED_USERS.”
This array defines the modules of Flowmon that are accessible without authentication.
Extra analyzing the code of the allowed list modules identified a specific code for producing PDFs under the name “Carrier:Pdfs:Confluence.”
The route for this module in the Nette Framework became “/provider.pdfs/confluence”.
Efficiency Of The PDF Generating Module
On analyzing the “Carrier:Pdfs:Confluence” module, it became identified that the module became linked to the provider’s PDF generation functionality.
This functionality is handled by “ConfluencePresenter.php,” which processes incoming requests and delegates operations to “PdfGenerator.generate().”
Moreover to, ConfluencePresenter.php additionally takes parameters such as pluginPath, locale, and file correct now from the actual person and would no longer require any sanitization.
These inputs are extra at possibility of fabricate the URL and file output string that will most likely be passed to the pdfGenerator.generate() as settings.
The Verbalize Injection Flaw
Extra evaluation printed that the PdfGenerator.php contains a generate() intention that makes a call to getExec.lag() intention, which has the privilege to fabricate system instructions.
As a matter of fact, the lag() intention additionally accepts a 2nd argument as an array of arguments.
These arguments are enclosed in quotes the spend of escapeshellarg() intention as a approach of preventing order injection.
Nonetheless, the order is no longer passed as an array of arguments however as a change as a single string correct now to the exec() which makes the exploitation of the order injection most likely.
Exploitation
In open as a lot as spend this vulnerability, possibility actors can manipulate the pluginPath or file parameters to embed malicious instructions by substituting $() or “,.
This breaks out the intended order and executes arbitrary instructions blindly that approach that the output of this order execution is no longer visible to the attacker.
Furthermore, the order execution on the applying is performed because the “flowmon” particular person which has elevated privileges that can lag several instructions with sudo. Many of the instructions can even be at possibility of kind a root shell.
Furthermore, the proof of belief for this vulnerability and exploitation can even be stumbled on on this GitHub repository.
It’s urged that Development Flowmon users upgrade to primarily the most as a lot as date version to prevent the exploitation of this vulnerability.
Source credit : cybersecuritynews.com