CVE-2024-23692: Unauthenticated RCE Flaw in Rejetto HTTP File Server, PoC Published

A critical vulnerability, identified as CVE-2024-23692, has been discovered in Rejetto HTTP File Server (HFS) versions 2.x, posing a significant risk to organizations and individuals utilizing this software for file sharing. The vulnerability, assigned a CVSS score of 9.8, allows remote attackers to execute arbitrary code on affected servers without authentication, potentially leading to data breaches, ransomware attacks, and complete system compromise.

Rejetto HFS is a straightforward web file server that facilitates file sharing over a network or the internet. It creates a web interface enabling users to download or upload files directly to a machine running the HFS software. Despite its simplicity and ease of use, this server has become a target for attackers due to the uncovered SSTI vulnerability.

The CVE-2024-23692 vulnerability specifically affects HFS versions 2.4.0 RC7 and 2.3m. The root cause lies in the way the server handles the default template used for rendering HTTP responses. This template includes content from a request’s search query parameter, which is not properly escaped, enabling SSTI.

Under normal operations, symbols and macros are encoded to prevent SSTI. However, by forcing the server to un-escape certain characters, an attacker can inject arbitrary macros into the template. This is achieved through a carefully crafted sequence of characters, as demonstrated by the following HTTP request:

echo -ne "GET /?search=%25x%25url%25:%host%}{.exec|notepad.}{.break.} HTTP/1.1\r\nHost:\r\n\r\n" | nc 192.168.86.35 80

In this exploit, the %url% symbol is un-escaped, allowing the remainder of the URL to be echoed back into the server-side content. By manipulating the search query parameter, an attacker can close the default template markers and inject arbitrary commands, such as opening Notepad in this example.

Stephen Fewer rates the exploitability of this vulnerability as very high due to its trivial exploitation method by a remote unauthenticated attacker. However, the attacker value is considered low since HFS is not typically used as an enterprise-level web server. Despite this, the potential for damage on affected systems remains significant, especially for users who rely on HFS for personal or small business file sharing.

Security researcher Arseniy Sharoglazov identified the flaw and Stephen Fewer provided a detailed analysis and exploit module for Metasploit. For detailed technical information and the Metasploit module, users can refer to the original publication by Stephen Fewer on AttackerKB.

One of the most concerning aspects of this vulnerability is the lack of a patch for HFS version 2.x, as it is no longer supported by its maintainers. Users are strongly advised to upgrade to version 3.x of Rejetto HFS, which does not suffer from this vulnerability.