Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23334 PoC — aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal

Source
https://github.com/binaryninja/CVE-2024-23334
Associated Vulnerability
Title:aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal (CVE-2024-23334)
Description:aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Description
Expolit for CVE-2024-23334 (aiohttp >= 1.0.5> && <=3.9.1)
Readme
# CVE-2024-23334 Exploit and PoC

This repository contains a Proof of Concept (PoC) exploit for CVE-2024-23334, demonstrating a vulnerability in a web application that allows unauthorized access to sensitive files on the server. The PoC includes a Dockerized web server and an exploit script to test for the vulnerability.

## Repository Structure

```plaintext
.
├── .gitattributes
├── .git/
├── Dockerfile
├── exploit.py
├── requirements.txt
├── server.py
├── static/
│   └── safe_file.txt
└── test.log
```

## Files and Directories

- **Dockerfile**: Docker configuration file to build and run the vulnerable web server.
- **exploit.py**: The exploit script that demonstrates how the vulnerability can be exploited to access sensitive files on the server.
- **server.py**: The vulnerable web server implemented using `aiohttp`.
- **requirements.txt**: List of Python dependencies required to run the server and exploit script.
- **static/**: Directory containing a safe file to serve as a placeholder for legitimate static content.
- **test.log**: Log file generated during testing (example content, not crucial for the exploit).

## Getting Started

### Prerequisites

- Docker
- Python 3.10+
- `pip` (Python package installer)

### Setup

1. **Clone the repository**

   ```bash
   git clone https://github.com/binaryninja/CVE-2024-23334.git
   cd CVE-2024-23334
   ```

2. **Build and Run the Docker Container**

   ```bash
   docker build -t cve-2024-23334 .
   docker run -p 8081:8081 cve-2024-23334
   ```

   The server will start and be accessible at `http://localhost:8081`.

3. **Run the Exploit Script**

   ```bash
   python exploit.py -s http://localhost:8081 -v -o results.json
   ```

   This command runs the exploit script against the running server, with verbose output and results saved to `results.json`.

### Server.py

The `server.py` file sets up a vulnerable web server using `aiohttp`. The server exposes a static file directory and includes an endpoint `/` that returns a simple text response.

### Exploit.py

The `exploit.py` script sends requests to the server to test for the vulnerability. It attempts to access various sensitive files by traversing the directory structure using path manipulation techniques. The results, including any successfully accessed files and their contents, are logged and optionally saved to a JSON file.

### Example Usage

#### Build and Run the Docker Container

```bash
docker build -t cve-2024-23334 .
docker run -p 8081:8081 cve-2024-23334
```

#### Execute the Exploit Script

```bash
python exploit.py -s http://localhost:8081 -v -o results.json
```

#### Output

The script will output the results of the exploit attempts to the console and save detailed results in `results.json`.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Disclaimer

This repository is for educational purposes only. Use it at your own risk. The author is not responsible for any damage caused by the use or misuse of this software.

## Contributions

Contributions are welcome! Please submit a pull request or open an issue to discuss any changes.
File Snapshot

 [4.0K]  /data/pocs/14cd6b5f20070d67a681c52c47f97b22ea67f17c
├── [ 431]  Dockerfile
├── [7.5K]  exploit.py
├── [3.1K]  README.md
├── [  15]  requirements.txt
├── [ 634]  server.py
└── [4.0K]  static
    └── [  20]  safe_file.txt

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →