CVE Identifier: CVE-2024-45241
Product: CentralSquare CryWolf (False Alarm Management)
Affected Component: GeneralDocs.aspx
Vulnerability Type: Path Traversal
Discovery Date: 2024-08-09
A path traversal vulnerability has been identified in the GeneralDocs.aspx component of CentralSquare CryWolf, a False Alarm Management system. This vulnerability allows unauthenticated attackers to exploit the rpt parameter to access files outside of the intended web directory. This can lead to the disclosure of sensitive information.
Read about it — CVE-2024-45241
Disclaimer: This Proof of Concept (POC) is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Path traversal vulnerabilities occur when an application allows users to manipulate file paths in a way that allows them to access files and directories outside the intended directory. This is often achieved by using sequences like ../ (dot-dot-slash) to traverse directories.
In this case, the affected component is GeneralDocs.aspx. This ASP.NET page appears to handle document requests or generation based on parameters provided by the user.
The rpt parameter is used to specify which document or report should be processed or retrieved. The vulnerability arises because this parameter is not properly sanitized or validated, allowing attackers to manipulate it to traverse directories.
To find potential targets, use Fofa (similar to Shodan.io):
- Fofa Dork: "Powered by CryWolf"
Turn on Burp and start to intercept.
Type in the URL search:
<TARGET_URL>/GeneralDocs.aspx?rpt=../../../../../<FILE>
Now you will see the original request of <TARGET_URL>/GeneralDocs.aspx?rpt=../../../../../ and click forward:
Click forward until you see this message (GET request to gdoc1.ashx):
Now right click and click on "Do intercept" --> "Response to this request" then click forward.
You can see the response and the file content!
