High risk vulnerability (Critical severity) #3
Comments
|
correction: the POC in the latest link is not affecting rc7, but the one on "attackerkb.com" is |
|
I think the problem is in this line https://github.com/rejetto/hfs2/blob/140528bac87e4ae37d444b218b5ef6ff793edc80/scriptLib.pas#L121 |
these are the steps that lead to the execution |
|
I'm doing some Public Relations (PR) here, to alert others about this vulnerability (discovered by @mohemiv). Please forgive me if this notice bothers or upsets someone (in this case, remember that “it's better be safe than sorry”). This message is to notify all those who have a copy or fork of HFS2: https://github.com/rejetto/hfs2 (List of users who have a fork of HFS2) [Part 1]@10ae; @1aq; @1INSIDIOUS; @24minFan; @506124204; @674778709; @93Codes; @a1198457636; @aifans; @ajunlonglive; @Alligator-1; @Amoystyle; @arvindown; @atkins126; @AtotallyRandomGuy; @AureliusPatiens; @Azimiao; @barlowhaydnb; @bb33bb; @blkdevcon; @blog2i2j; @Brainhub24; @bryanchance; @cbcs; @ccwy; @cedececa; @ChasingD; @classic130; @CrazyForks; @crazyNing; @cyrex562; @diegoverdan; @divinity76; @do8pgg; @dsvabek; @ducbang; @FallPeanut; @ffrbl; @flyarong; @GaryLao; @GitCnSH-DSLIN; @gmh5225; @goofwear; @h824612113; @ha271923; @hafewa; @harishgavel; |
|
» Regardless development has moved onto HFS3, and even if HFS2 probably won't be updated by @rejetto, any collaboration will be useful to others who also have a fork of HFS2 (and compile the binaries on their own). Those who want to collaborate, can leave a comment on this issue, or even better, send a 'Pull request' on the original project: https://github.com/rejetto/hfs2/pulls (List of users who have a fork of HFS2) [Part 2]@hi-noikiy; @HowardWhile; @IcyG1045; @icyhoty2k; @iloeng; @iMeta1; @ios1024; @jacelift; @jacobin; @jeethualex; @jn7163; @josedachao; @JosiahMg; @juankprz; @junqinhu; @khongten001; @l-g-t; @lakecenter; @lanxianhui; @laojiajun; @LeChatNoir666; @lianghuiyuan; @lion8418; @lllrrr2; @LordGarfio; @lzxkulou; @mangoriver; @mapoupier; @mcubeta; @minol; @mnplay; @mybbsky2012; @ncnnnnn; @netusb; @neverso; @oabi; @ojbkxc; @Ok-every-day; @oycl; @peaceanddemocracy; @pigbaby6309; @prafulbusa; @PravinShahi0007; @progray; @Loop80; @protonuniverse; |
|
节假日,请勿骚扰
|
|
Being listed here, doesn't mean you have any commitment or obligation to collaborate with this issue. If you don't want to collaborate, please disregard this notice. This is only an informational message! (List of users who have a fork of HFS2) [Part 3]@RahimBangla; @redcocoa; @redlinejoes; @redtrillix; @rellai; @rsiralla; @sdlkdsdda; @shayanw; @shead0n; @simhaonline; @simrit1; @siwa2-w; @snakegj; @SWDRam; @swoky; @TengShow; @teze; @VantIer; @venhow; @vivienskm; @waldonhendricks; @wesinator; @weweaaa; @wuenci666; @xGreat; @xiaoshzx; @xsgx; @xxfwajj84; @XZVB12; @yangjinhe; @yogtop; @z-cub; @mr-highball; @Zhengzhouhao; @zmf963; @zxysm; @ZZKK000» Code submission guidelines (Code contribution suggestions): By the way, this vulnerability was published yesterday in the legendary ‘Packet Storm Security’ website: https://packetstormsecurity.com/files/179083/Rejetto-HTTP-File-Server-HFS-Unauthenticated-Remote-Code-Execution.html |
won't this change badly affect style attributes using % ? |
|
节假日,请勿骚扰
|
|
I've thoroughly analyzed the source code, and after doing several tests, I've come up with a simple solution. I'm sure this may not be the most elegant way to do it (and it's far from being perfect), but at the moment is the most direct way to stop this (and probably future macro vulnerabilities). The following is a portion of 'main.pas' from 'hfs2.3m.src.zip' url:=conn.request.url; // The next line is a fix for CVE-2024-23692
if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
extractParams();
url:=decodeURL(url);I take this opportunity to tell you that "perhaps" (as my spare time permits, at some undetermined time in the future, whether it be in several days/weeks/months/years), my idea is to publish this fix (or a better enhanced fix), in a "Community Edition" of HFS (maintaining it and applying only minimal changes, especially those related to security issues). Anything I publish will be signed with my ‘PGP Public Key’, and it will probably be available here on GitHub, also on Rejetto's forum, but mainly at the following address (not yet available): http://netizen.zoho.to/ If anyone has any better ideas about this, you can open a new issue here or leave a comment in the forum, or simply submit a pull request. Since there has been no collaboration or activity in this issue for almost 3 months, and since I have just shared, in my opinion, an effective solution (in addition to the one previously published by DRapid), I've decided to close and consider this issue resolved, at least for now.- » Here is my ‘PGP Public Key’ (Key ID: 07CFD45A104B6793)-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBFtrCyoBEADUN9pYEPnSJdAnw8Q2LOlSlwgrdYgyXGf6Mt2Cmhgy1lBTRG+C |
|
节假日,请勿骚扰
|
Hi!, this is only a reminder. Since you maintain a fork of HFS, and in case you didn't know, a severe vulnerability (that demands immediate attention) has been recently discovered, known to affect HFS v2.4.0 RC7 and v2.3m. It's CVE-2024-23692, and you will find more information, on the following links:
Understanding the critical threat
https://linuxpatch.com/cve/CVE-2024-23692
Technical analysis (Vulnerability details)
https://attackerkb.com/topics/d9AVVdmNhH/cve-2024-23692
How to reproduce it (Payload and instructions)
Rejetto HTTP File Server (HFS) 2.x - Unauthenticated RCE exploit module (CVE-2024-23692) rapid7/metasploit-framework#19240
Original finder information (By Arseniy Sharoglazov)
https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/
Even if Rejetto made his versions 2.3.x and 2.4.x as 'obsolete' (or 'no longer supported'), there are too many HFS-based servers still running (including yours), that will never know about this issue, until it's too late (when they've already been hacked). I'm sure Rejetto and his community, will appreciate if you submit a patch for his build too... :)
Cheers,
Leo.-
The text was updated successfully, but these errors were encountered: