CVE-2024-24919 PoC — Information disclosure

Source

Associated Vulnerability

Readme

# Arbitrary File Read CVE-2024-24919
Here is the alert received on the SIEM
![image](https://github.com/user-attachments/assets/7a17c7b6-204f-46f0-bb4e-1f4f4da15464)

Firstly what is CVE-2024-24919? Here is the description on the NIST website.
![image](https://github.com/user-attachments/assets/7a0df2d2-e600-4d7d-b247-89cb41ba4274)

After some more research, CVE-2024-24919 is a path traversal attack, which explains the request being made to the '/etc/passwd' directory.
![image](https://github.com/user-attachments/assets/f7483e00-b0c3-4223-845f-17cc936c537f)

The /etc/passwd directory stores user account information, including the user's username, user ID (UID), group ID (GID), home directory, and login shell 

This is enough for me to contain the server, and I'll investigate further for any more signs of compromise.
![image](https://github.com/user-attachments/assets/163f12b3-bd38-44cd-9f38-35a3b0691704)

#
<h3>Investigating the suspisous IP</h3>

First I'll start by checking the source IP on the threat intelligence feed. And it has been flagged as malicious, specifically because of CVE-2024-24919
![image](https://github.com/user-attachments/assets/561dbe13-b30b-4c6d-9e2e-7e9177f2b0b8)

It has also been reported on AbuseIPDB and VirusTotal
![image](https://github.com/user-attachments/assets/652a90f7-2111-46f7-8d41-356669c4f745)
![image](https://github.com/user-attachments/assets/7236d360-fb62-4479-8c51-6c35524f9440)

Searching the logs for the source IP shows three events.
![image](https://github.com/user-attachments/assets/94a1b20c-65d7-4c8e-941f-c3cb3e516790)
Two of the events correlate with what seen was on the SIEM alert.

Investigating the first log (No Event Time) it says the source address is 203.160.68.12 (the suspicious IP).
![image](https://github.com/user-attachments/assets/8fcd069c-f45c-4ed7-bdc1-e8f4ce1215d2)

However, the raw log says that the IP is 203.160.68.13, and this time it's requesting the '/etc/shadow' directory. This directory stores the encrypted password hashes for user accounts on the system. Also searching the logs for 203.160.68.13 shows no results, and it's not flagged in the threat intel feed or on AbuseIPDB/Talos/VirusTotal.

![image](https://github.com/user-attachments/assets/b0a08839-093a-43a0-90fe-704c7c152656)

#
<h3>Investigating 203.160.68.13 further</h3>

Checking the logs for the destination IP (172.16.20.146) shows the same logs seen above, and another containing a list of IPs that accessed the server. Here we see 203.160.68.12 did make three separate connections and 203.160.68.13 made only one.
![image](https://github.com/user-attachments/assets/0f6606b4-d151-43ea-ba7d-ce8f98bb3b3a)


The destination address (172.16.20.146) is a server and it made three connections with 203.160.68.12 and two with 203.160.68.13
![image](https://github.com/user-attachments/assets/2952847b-f3d8-4b45-a02b-5f0f19841f6e)
![image](https://github.com/user-attachments/assets/c523105f-7988-49b8-a541-06fc3492cc27)


#
<h3>Response</h3>
The server (172.16.20.146) has been quarantined and I've blacklisted the two suspicious IPs: 203.160.68.12 and 203.160.68.13. All the impacted users should change their passwords as a precaution.

#

<h3>Summary</h3>
The attackers conducted a path traversal attack, accessing the data within the /etc/passwd and /etc/shadow directories. These files hold user information, including usernames, user IDs, and hashed passwords. If the attackers figure out the hash algorithm used they could figure out the passwords. The server was contained and the suspicious IPs were blacklisted, and all the impacted users should change their passwords as a precaution.

#

File Snapshot

 [4.0K]  /data/pocs/295c4a299384b1776cbca5aba9df6bdf3cb8d637
└── [3.6K]  README.md

0 directories, 1 file

Remarks