In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
PoC代码[已公开]
id: CVE-2024-55956
info:
name: Cleo Harmony,VLTrader,LexiCom < 5.8.0.24 - File Upload Vulnerability
author: zan8in
severity: critical
verified: true
description: |-
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-55956
tags: cleo,cve,cve2024,fileupload
created: 2025/01/01
rules:
r0:
request:
method: GET
path: /Synchronization
expression: response.status == 200 && response.headers["server"].icontains("Cleo")
output:
search: '"Server: Cleo.*?/(?P<version>[0-9.]+)".bsubmatch(response.raw_header)'
version: search["version"]
extractors:
- type: regex
extractor:
ext1: '"Server: Cleo.*?/(?P<v>[0-9.]+)".bsubmatch(response.raw_header)'
v: ext1["v"]
expression: r0() && versionCompare(string(version),"<","5.6.0.2")