Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory Traversal Vulnerability #254

Closed
d0td0tslash opened this issue Jun 13, 2024 · 4 comments
Closed

Directory Traversal Vulnerability #254

d0td0tslash opened this issue Jun 13, 2024 · 4 comments
Assignees
@clbr
Labels
bug Something isn't working

Comments

@d0td0tslash
Copy link

d0td0tslash commented Jun 13, 2024
edited
Loading

SUMMARY

Kasma Technologies Inc’s KasmaVNC component is affected by a vulnerability that may allow an attacker to browse the underlaying filesystem files (more commonly known as Directory Traversal).

AFFECTED PRODUCTS

KasmaVNC. Confirmed in version 1.3.1.230e50f7b89663316c70de7b0e3db6f6b9340489. Other previous versions might also be affected.

image

TECHNICAL DETAILS

The attack involves manipulating variables / paths that reference files with “dot-dot-slash (…/)” sequences and its variations or by using absolute file paths. This could potentially allow an attacker to access arbitrary files and directories stored on the file system, including application source code, configuration, and critical system files. Follow these guided steps to replicate the vulnerability:

  1. Start ‘kasmvncserver’:

image

  1. Submit the following GET request to access the /etc/passwd of the filesystem:
GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 192.168.153.131:8444
Authorization: Basic Y3JlZHM6cmVxdWlyZWQ=
Connection: keep-alive

image

The problem seems to be in common/network/websocket.c

KasmVNC/common/network/websocket.c

Line 902 in 9f7a6b5

if (len < 1 || len > 1024 || strstr(in, "../")) {
in which the if statement doesn’t take into consideration URL encoding (%2e%2e is equal to ..), making it possible to browse parent directories and read local files.

A CVE ID has been requested to MITRE and will update this thread once it has been assigned.

IMPACT

This behavior allows remote authenticated attackers able to reach the KasmaVNC server, to browse and read files on the remote filesystem. This also include the kasmpasswd file which includes all other user’s hashed passwords.
@mmcclaskey mmcclaskey added the bug Something isn't working label Jun 13, 2024
@mmcclaskey
Copy link
Collaborator

Internal ticket KASM-6090 has been opened. It should be noted that, if confirmed, the bug requires authentication and since KasmVNC is running as the user that is authenticated, they would only be able to access files that they already have access to anyway. So it certainly would be a vulnerability, but the CVSS scoring should be adjusted to reflect those limitations.

@clbr
Copy link
Collaborator

clbr commented Jun 14, 2024

Confirmed. Fix pending.

@d0td0tslash
Copy link
Author

CVE Number: CVE-2024-38449
CVSS 3.1 Severity: AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (4.5 - Medium Risk)

@clbr
Copy link
Collaborator

clbr commented Jul 4, 2024

Fixed in master.

@clbr clbr closed this as completed Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clbr clbr

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clbr @mmcclaskey @d0td0tslash