CVE-2024-23334 PoC — aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal

Source

https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC

Associated Vulnerability

Title:aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal (CVE-2024-23334)
Description:aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Description

Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1.

Readme

# LFI-aiohttp-CVE-2024-23334-PoC

A Bash script to automate Local File Inclusion (LFI) attacks on vulnerable aiohttp servers, specifically targeting CVE-2024-23334. This exploit allows for unauthorized access to arbitrary files on systems running affected versions of aiohttp with improperly configured static routes.

## CVE-2024-23334 Vulnerability

The CVE-2024-23334 vulnerability affects the aiohttp asynchronous HTTP client/server framework for Python and asyncio. It arises when aiohttp is used as a web server with static routes, which can create directory traversal vulnerabilities if misconfigured. This allows an attacker to access arbitrary files on the system without authorization.

**Mitigations** for this vulnerability include:
- Upgrading to aiohttp version **3.9.2** or later, where the issue is resolved.
- Disabling the `follow_symlinks` option in the server configuration.
- Using a reverse proxy to prevent direct access to sensitive files.

## Features

- Automates directory traversal attacks up to 15 levels to reach targeted files.
- Provides feedback on server availability and verifies successful file access.
- Configurable payload paths for adapting the script to specific testing environments.

## Requirements

- `curl`: Ensure `curl` is installed on your system, as it is used for making HTTP requests.

## Usage

To execute the script, run the following command:

`./lfi_aiohttp.sh -f /path/to/file/to/dump`

![Captura de pantalla 2024-11-14 215430](https://github.com/user-attachments/assets/3a1bc8af-b355-4db1-a502-c453991baa57)

### Configuration Note

> **Important**: The `main_url` and `payload` variables in the script may need to be adjusted depending on the target environment.

- **`main_url`**: This variable should be set to the URL of the target aiohttp server (e.g., `http://localhost:8083`). Modify it according to the actual server address you're testing against.
- **`payload`**: This variable represents the static file route on the server (e.g., `/assets/`). Ensure this path matches the configuration of the target server's static file directory.

Before running the script, review these variables to ensure they are correctly configured for your testing scenario. Incorrect settings may result in failed attempts to access files or unintended behavior.

### Arguments

- **-f**: Specifies the file to dump from the server.
- **-h**: Displays the help panel with usage instructions.

## Disclaimer

This script is intended for educational purposes and authorized penetration testing only. Unauthorized use of this script is prohibited and may be illegal.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!