Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-49368 PoC — Unchecked logrotate settings lead to arbitrary command execution

Source
https://github.com/Aashay221999/CVE-2024-49368
Associated Vulnerability
Title:Unchecked logrotate settings lead to arbitrary command execution (CVE-2024-49368)
Description:Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
Description
Explorations of CVE-2024-49368 + Exploit Development
Readme
# Nginx UI Exploit Setup

This guide outlines the steps to set up Nginx UI using Docker Compose, create a user, run an exploit, and verify the results within the Docker container.

## Prerequisites
- Ensure you have Docker and Docker Compose installed on your machine.
- Familiarity with basic command-line operations.

## Installing nginx via docker

1. Download the [docker-compose.yml](docker-compose.yml)
2. Verify that your nginx.conf file has these lines. 
   **Note:** in linux (Ubuntu), this file is at /etc/nginx/nginx.conf
   ```nginx
        http {
            # ...
            include /etc/nginx/conf.d/*.conf;
            include /etc/nginx/sites-enabled/*;
        }
    ```
3. Create a local directory www in your working directory. Copy its path and change the first half of line 13 in the docker compose yaml (Just the part before the `:`). 
    ```yml
        Line 13 ~/cve_session1/nginx/www
    ```
3. Create your container by: 
    ```bash
        docker compose up -d
    ```
4. Wait a couple of minutes and check if the docker image is running:
    ```bash
        sudo docker ps
    ```
    You should see the nginx docker running. 
5. Login to the nginx UI at http://127.0.0.1:8080/#/login
6. Create an admin user accounts. Username: admin , Password: admin.
7. Then within the nginx UI create another user: Username: basic , Password: basic.
   **Note:** You can create the users with whatever names and password you want. Just make sure to update the python script
8. Run the exploit. It is fairly self-explanatory. 
9. Login to docker and check that the command injection works. 
   ``` bash
        # Get container id first
        docker ps

        # Access container shell
        docker exec -it <container-id> /bin/sh

        # Check the tmp directory
        ls -l /tmp
   ```
File Snapshot

 [4.0K]  /data/pocs/3d417fa56baa75d50815fbbce664200c7a1b58ff
├── [1.1K]  docker-compose.yml
├── [ 268]  Dockerfile
├── [3.6K]  exploit_bash_patched.py
├── [3.6K]  exploit_bash.py
├── [4.0K]  exploration
│   ├── [  32]  go.mod
│   └── [ 622]  program.go
├── [ 610]  nginx_modified.conf
├── [ 600]  nginx_original.conf
├── [1.8K]  README.md
├── [4.0K]  server
│   ├── [ 190]  package.json
│   └── [ 541]  server.js
└── [4.0K]  ui
    ├── [3.6K]  index.html
    ├── [ 133]  package.json
    └── [ 367]  ui-server.js

3 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →