CVE-2024-32491
📋 TL;DR
This vulnerability allows authenticated users in Znuny and Znuny LTS to upload files to arbitrary writable locations via path traversal in manipulated AJAX requests. If the uploaded location is publicly accessible through the web server, this can lead to arbitrary code execution. Affected systems include Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16.
💻 Affected Systems
- Znuny
- Znuny LTS
📦 What is this software?
Znuny by Znuny
Znuny by Znuny
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Authenticated attackers upload malicious files to web-accessible directories, enabling web shell deployment and subsequent command execution.
If Mitigated
Limited to authenticated user privilege escalation and file system manipulation without code execution if upload locations aren't web-accessible.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Znuny LTS 6.5.8, Znuny 7.0.17
Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2024-01
Restart Required: Yes
Instructions:
1. Backup your Znuny installation and database. 2. Download the patched version from the official Znuny website. 3. Follow the official upgrade instructions for your version. 4. Restart the Znuny service.
🔧 Temporary Workarounds
Restrict file upload permissions
allConfigure web server to deny public access to upload directories and restrict writable locations.
# Configure appropriate file permissions for upload directories
# Example: chmod 750 /path/to/upload/dir
# Configure web server (Apache/Nginx) to deny access to sensitive directories
Implement input validation
allAdd server-side validation to reject file upload requests with path traversal sequences.
# Implement validation in relevant upload handlers to reject paths containing '../' or similar traversal sequences
🧯 If You Can't Patch
- Restrict authenticated user access to minimum required privileges
- Implement web application firewall rules to block requests with path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check your Znuny version against affected ranges: Znuny LTS 6.0.31-6.5.7 or Znuny 7.0.1-7.0.16Check Version:
Check the Znuny admin interface or examine the RELEASE file in the installation directoryVerify Fix Applied:
Verify version is updated to Znuny LTS 6.5.8+ or Znuny 7.0.17+📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- AJAX requests with path traversal sequences
- File writes to unexpected directories
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious path parameters
SIEM Query:
source="znuny_logs" AND (http_method="POST" AND uri="*upload*" AND (param="*../*" OR param="*..\\*"))