Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36079 PoC — Vaultize 安全漏洞

Source
https://github.com/DxRvs/vaultize_CVE-2024-36079
Associated Vulnerability
Title:Vaultize 安全漏洞 (CVE-2024-36079)
Description:An issue was discovered in Vaultize 21.07.27. When uploading files, there is no check that the filename parameter is correct. As a result, a temporary file will be created outside the specified directory when the file is downloaded. To exploit this, an authenticated user would upload a file with an incorrect file name, and then download it.
Readme
# About Vulnerability

The on-premise Vaultize DRM v.21.07.27 is vulnerable to the upload of arbitrary files.

Files whose names contain part of the absolute path of the file system may be uploaded due to the lack of filename filtering. ![](./media/ptrav.png) 

When you try to download the files ![](./media/download.png) the application creates a temporary file located in the final path in the file system. ![](./media/dump.png) 

The file exists until downloading is complete, then it is deleted. This makes it possible for an attacker to write an arbitrary file to any directory with the rights of the application.

# Demo

One form of product distribution is to deliver a pre-built VMware virtual machine image with the on-premise version of the application installed.
In this case, it is possible to gain access to the system by uploading the ssh public key. 

![](./media/demo.gif)

# Disclosure timeline

* vulnerability discovered - 05/05/22
* software distributor notified - 05/13/22
* first letter to vendor (no response) - 07/04/22
* second letter to vendor (no response) - 08/31/22
* created ticket on https://support.vaultize.com with id #34833 - 10/19/22
* patch partially fixing the vulnerability - 12/27/23
* patch fixing the vulnerability - 05/15/23
* CVE-2024-36079 registered - 05/19/24
File Snapshot

 [4.0K]  /data/pocs/92c5e74911912ff9a9c88ac9c061819ec53786f8
├── [4.0K]  media
│   ├── [ 10M]  demo.gif
│   ├── [103K]  download.png
│   ├── [ 84K]  dump.png
│   └── [450K]  ptrav.png
└── [1.3K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →