Progress addressed a critical vulnerability last week, which was associated with an unauthenticated Command injection on the Progress Flowmon product.
This vulnerability was assigned CVE-2024-2189, and the severity was given as 10.0 (Critical).
Progress Flowmon is a network monitoring and analysis tool that gathers insights about network traffic, performance, and security. Its Web application uses a Nette PHP framework.
However, Progress released a security advisory for patching this vulnerability, urging all users to patch them accordingly.
To explain the vulnerability and exploitation further, a proof-of-concept for this vulnerability has been published.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Critical Flowmon Vulnerability
The researchers enumerated unauthenticated endpoints specified in the “AllowedModulesDecider.php” file, which consisted of an array named “ALLOWED_TO_UNLOGGED_USERS.”
This array defines the modules of Flowmon that are accessible without authentication.
Further analyzing the code of the allowed list modules identified a specific code for generating PDFs under the name “Service:Pdfs:Confluence.”
The path for this module in the Nette Framework was “/service.pdfs/confluence”.
Functionality Of The PDF Generating Module
On analyzing the “Service:Pdfs:Confluence” module, it was identified that the module was associated with the service’s PDF generation functionality.
This functionality is handled by “ConfluencePresenter.php,” which processes incoming requests and delegates operations to “PdfGenerator.generate().”
In addition, ConfluencePresenter.php also takes parameters such as pluginPath, locale, and file directly from the user and does not require any sanitization.
These inputs are further used to construct the URL and file output string that will be passed to the pdfGenerator.generate() as settings.
The Command Injection Flaw
Further analysis revealed that the PdfGenerator.php contains a generate() method that makes a call to getExec.run() method, which has the privilege to execute system commands.
As a matter of fact, the run() method also accepts a second argument as an array of arguments.
These arguments are enclosed in quotes using escapeshellarg() method as a means of preventing command injection.
However, the command is not passed as an array of arguments but instead as a single string directly to the exec() which makes the exploitation of the command injection possible.
Exploitation
In order to exploit this vulnerability, threat actors can manipulate the pluginPath or file parameters to embed malicious commands by substituting $() or “,.
This breaks out the intended command and executes arbitrary commands blindly which means that the output of this command execution is not visible to the attacker.
Moreover, the command execution on the application is performed as the “flowmon” user which has elevated privileges that can run several commands with sudo. Most of the commands can be used to obtain a root shell.
Furthermore, the proof of concept for this vulnerability and exploitation can be found in this GitHub repository.
It is recommended that Progress Flowmon users upgrade to the latest version to prevent the exploitation of this vulnerability.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->
Try Free Demo