CVE-2024-11979
📋 TL;DR
DreamMaker from Interinfo has an unauthenticated path traversal vulnerability that allows attackers to upload arbitrary files to any directory. This can lead to remote code execution via webshells. All systems running vulnerable versions of DreamMaker are affected.
💻 Affected Systems
- DreamMaker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution, data theft, and lateral movement within the network.
Likely Case
Attackers deploy webshells to maintain persistent access, exfiltrate data, and use the system as a pivot point for further attacks.
If Mitigated
Limited impact if file uploads are blocked at network perimeter and strict file validation is implemented.
🎯 Exploit Status
The vulnerability is straightforward to exploit with basic web attack tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Interinfo advisory for specific version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8272-13a13-2.html
Restart Required: Yes
Instructions:
1. Check the Interinfo advisory for patch details
2. Apply the security update provided by Interinfo
3. Restart the DreamMaker service
4. Verify the fix is applied
🔧 Temporary Workarounds
Block file uploads at network perimeter
allUse WAF or firewall rules to block file upload requests to DreamMaker
Implement strict file validation
allConfigure DreamMaker to only accept specific file types and validate file paths
🧯 If You Can't Patch
- Isolate DreamMaker instances from the internet and restrict network access
- Implement strict monitoring for file upload activities and webshell detection
🔍 How to Verify
Check if Vulnerable:
Check if DreamMaker allows unauthenticated file uploads with path traversal in the filename parameterCheck Version:
Check DreamMaker version in administration interface or configuration filesVerify Fix Applied:
Test that file uploads now require proper authentication and path traversal attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Requests with path traversal sequences (../)
- Uploads of suspicious file types (.php, .jsp, .asp)
Network Indicators:
- HTTP POST requests to upload endpoints from unexpected sources
- Multiple failed upload attempts followed by successful ones
SIEM Query:
source="dreammaker.log" AND (url="*upload*" AND (filename="*../*" OR filename="*.php*" OR filename="*.jsp*"))