CVE-2024-43454 - Relative Path Traversal

Severity

71%

Complexity

27%

Confidentiality

70%

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

CVSS 3.1 Base Score 7.1. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

Demo Examples

Relative Path Traversal

CWE-23

The following URLs are vulnerable to this attack:


               
http://example.com.br/some-page.asp?page=index.html

A simple way to execute this attack is like this:


               
http://example.com.br/get-files?file=../../../../etc/passwd

Relative Path Traversal

CWE-23

The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory.


               
print "</ul>\n";
print "<li>$_</li>\n";

While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as:


               
../../../etc/passwd

The program would generate a profile pathname like this:


               
/users/cwe/profiles/../../../etc/passwd

When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file:


               
/etc/passwd

As a result, the attacker could read the entire text of the password file.

Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined.

Relative Path Traversal

CWE-23

The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.


               
</form>

When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.


               
}

                     

                        

                           
{...}

                                 
// output successful upload response HTML page

                                       
bw.close();
}
bw.flush();
...

As with the previous example this code does not perform a check on the type of the file being uploaded. This could allow an attacker to upload any executable file or other file with malicious code.

Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-22, CWE-23). Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.

Overview

Type

Microsoft Windows Server

First reported 5 months ago

2024-09-10 17:15:00

Last updated 5 months ago

2024-09-13 14:52:00

Affected Software

Microsoft Windows Server 2012

Microsoft Windows Server 2019

Microsoft Windows Server 2016

References

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.