nuclei-templates/http/cves/2024/CVE-2024-1709.yaml

id: CVE-2024-1709

info:
  name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
  author: johnk3r
  severity: critical
  description: |
    ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
  reference:
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
    - https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1709
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-1709
    cwe-id: CWE-288
  metadata:
    verified: true
    max-request: 1
    vendor: connectwise
    product: screenconnect
    shodan-query: http.favicon.hash:-82958153
    fofa-query: app="ScreenConnect-Remote-Support-Software"
    zoomeye-query: app:"ScreenConnect Remote Management Software"
    hunter-query: app.name="ConnectWise ScreenConnect software"
  tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev
variables:
  string: "{{rand_text_alpha(10)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/SetupWizard.aspx/{{string}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "SetupWizardPage"
          - "ContentPanel SetupWizard"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: kval
        part: header
        kval:
          - Server
# digest: 4b0a00483046022100df42d248b92130b0997228abe4ff00197ca95319ec494fcb457e36f99947b38b022100f14f62eb21d2dc5ebb6f7d9b2e3df0501572ace6e67a5cad42153418c3fae0b9:922c64590222798bb761d5b6d8e72950
Update and rename http/misconfiguration/screenconnect-authentication-bypass.yaml to http/cves/CVE-2024/CVE-2024-1709.yaml 2024-02-21 19:02:29 +00:00			`id: CVE-2024-1709`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00
			`info:`
Update CVE-2024-1709.yaml 2024-02-22 07:45:54 +00:00			`name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00			`author: johnk3r`
Update screenConnect-authentication-bypass.yaml 2024-02-21 10:45:42 +00:00			`severity: critical`
Update CVE-2024-1709.yaml 2024-02-22 07:45:54 +00:00			`description: \|`
			`ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00			`reference:`
			`- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass`
			`- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc`
Update screenConnect-authentication-bypass.yaml 2024-02-21 10:45:42 +00:00			`- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8`
Update CVE-2024-1709.yaml 2024-02-22 07:45:54 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2024-1709`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`cvss-score: 10`
Update CVE-2024-1709.yaml 2024-02-22 07:45:54 +00:00			`cve-id: CVE-2024-1709`
			`cwe-id: CWE-288`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: connectwise`
			`product: screenconnect`
			`shodan-query: http.favicon.hash:-82958153`
add zoomeye, fofa, hunter query 2024-02-26 07:52:46 +00:00			`fofa-query: app="ScreenConnect-Remote-Support-Software"`
			`zoomeye-query: app:"ScreenConnect Remote Management Software"`
			`hunter-query: app.name="ConnectWise ScreenConnect software"`
add kev tag 2024-02-24 10:19:04 +00:00			`tags: cve,cve2024,screenconnect,connectwise,auth-bypass,kev`
fix matcher 2024-02-21 10:58:31 +00:00			`variables:`
			`string: "{{rand_text_alpha(10)}}"`

Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00			`http:`
			`- method: GET`
			`path:`
fix matcher 2024-02-21 10:58:31 +00:00			`- "{{BaseURL}}/SetupWizard.aspx/{{string}}"`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
fix matcher 2024-02-21 10:58:31 +00:00			`- "SetupWizardPage"`
			`- "ContentPanel SetupWizard"`
Create screenConnect-authentication-bypass.yaml 2024-02-21 10:41:25 +00:00			`condition: and`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: kval`
			`part: header`
			`kval:`
			`- Server`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4b0a00483046022100df42d248b92130b0997228abe4ff00197ca95319ec494fcb457e36f99947b38b022100f14f62eb21d2dc5ebb6f7d9b2e3df0501572ace6e67a5cad42153418c3fae0b9:922c64590222798bb761d5b6d8e72950`