CVE-2024-36079 PoC — Vaultize 安全漏洞

Source

Associated Vulnerability

Readme

# About Vulnerability

The on-premise Vaultize DRM v.21.07.27 is vulnerable to the upload of arbitrary files.

Files whose names contain part of the absolute path of the file system may be uploaded due to the lack of filename filtering. ![](./media/ptrav.png) 

When you try to download the files ![](./media/download.png) the application creates a temporary file located in the final path in the file system. ![](./media/dump.png) 

The file exists until downloading is complete, then it is deleted. This makes it possible for an attacker to write an arbitrary file to any directory with the rights of the application.

# Demo

One form of product distribution is to deliver a pre-built VMware virtual machine image with the on-premise version of the application installed.
In this case, it is possible to gain access to the system by uploading the ssh public key. 

![](./media/demo.gif)

# Disclosure timeline

* vulnerability discovered - 05/05/22
* software distributor notified - 05/13/22
* first letter to vendor (no response) - 07/04/22
* second letter to vendor (no response) - 08/31/22
* created ticket on https://support.vaultize.com with id #34833 - 10/19/22
* patch partially fixing the vulnerability - 12/27/23
* patch fixing the vulnerability - 05/15/23
* CVE-2024-36079 registered - 05/19/24

File Snapshot

 [4.0K]  /data/pocs/92c5e74911912ff9a9c88ac9c061819ec53786f8
├── [4.0K]  media
│   ├── [ 10M]  demo.gif
│   ├── [103K]  download.png
│   ├── [ 84K]  dump.png
│   └── [450K]  ptrav.png
└── [1.3K]  README.md

1 directory, 5 files

Remarks