Angular-base64-update Demo Script Exploited (CVE-2024-42640)

Published: 2024-10-15. Last Updated: 2024-10-15 15:08:01 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Demo scripts left behind after installing applications or frameworks are an ongoing problem. After installation, removing any "demo" or "example" folders is usually best. A few days ago, Ravindu Wickramasinghe noticed that the Angular-base64-upload project is leaving behind a demo folder with a script allowing arbitrary file uploads without authentication [1]. Exploitation of the vulnerability is trivial. An attacker may use the file upload script to upload a web shell, and in response, the attacker will obtain remote command execution with all the privileges granted to the web server.

Sadly, the project is also no longer maintained. But a patch is not needed. Removing the vulnerable script (and likely the entire demo folder) should be an appropriate response.

Shortly after the blog post's publication, we detected exploit attempts in our web honeypot logs. On October 14th, we saw about 3,000 scans for 

/angular-base64-upload/demo/server.php

Just note that requests for URLs containing "demo" are pretty standard. Interestingly, there was an increase in these requests starting in July.

graph of requests for URLs containing the string "demo" showing an increase in scans in July.
Graph of requests containing the string "demo".

[1] https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
ISC Stormcast For Tuesday, October 15th, 2024 https://isc.sans.edu/podcastdetail/9180

Comments


Diary Archives