Search for vulnerabilities
| Vulnerability ID | VCID-49m9-v222-aaae |
| Aliases |
CVE-2024-2961
|
| Summary | The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 7.9 |
| Risk | 10.0 |
| Affected and Fixed Packages | Package Details |
| CWE-787 | Out-of-bounds Write |
| Data source | Metasploit |
|---|---|
| Description | This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and earlier if the PHP and glibc versions are also vulnerable: - 2.4.7 and earlier - 2.4.6-p5 and earlier - 2.4.5-p7 and earlier - 2.4.4-p8 and earlier Vulnerable PHP versions: - From PHP 7.0.0 (2015) to 8.3.7 (2024) Vulnerable iconv() function in the GNU C Library: - 2.39 and earlier The exploit chain is quite interesting and for more detailed information check out the references. The tl;dr being: CVE-2024-34102 is an XML External Entity vulnerability leveraging PHP filters to read arbitrary files from the target system. The exploit chain uses this to read /proc/self/maps, providing the address of PHP's heap and the libc's filename. The libc is then downloaded, and the offsets of libc_malloc, libc_system and libc_realloc are extracted, and made use of later in the chain. With this information and expert knowledge of PHP's heap (chunks, free lists, buckets, bucket brigades), CVE-2024-2961 can be exploited. A long chain of PHP filters is constructed and sent in the same way the XXE is exploited, building a payload in memory and using the buffer overflow to execute it, resulting in an unauthenticated RCE. |
| Note | Stability: - crash-safe SideEffects: - artifacts-on-disk - ioc-in-logs Reliability: - repeatable-session |
| Ransomware campaign use | Unknown |
| Source publication date | July 26, 2024 |
| Platform | Linux,Unix |
| Source URL | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.32058 |
| EPSS Score | 0.00071 |
| Published At | Nov. 1, 2024, midnight |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2024-04-23T17:19:27.837666+00:00 | NVD Importer | Import | https://nvd.nist.gov/vuln/detail/CVE-2024-2961 | 34.0.0rc4 |