CVE-2024-3435
📋 TL;DR
A path traversal vulnerability in the parisneo/lollms-webui application allows attackers to manipulate configuration settings via specially crafted JSON payloads to the 'save_settings' endpoint. This can lead to remote code execution by bypassing existing security patches. Users running versions up to the latest release before 9.5 are affected.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution, allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.
Likely Case
Configuration manipulation leading to service disruption, data exposure, or limited code execution within application context.
If Mitigated
Failed exploitation attempts logged, with no impact due to proper input validation and access controls.
🎯 Exploit Status
Exploitation requires sending crafted JSON payloads to the vulnerable endpoint; proof-of-concept details available in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 9.5 and later
Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2
Restart Required: Yes
Instructions:
1. Update to version 9.5 or later via git pull or package manager. 2. Restart the lollms-webui service. 3. Verify the fix by checking the version.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the lollms-webui service to trusted IPs only.
iptables -A INPUT -p tcp --dport [lollms-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [lollms-port] -j DROP
Input Validation Enhancement
allAdd custom input validation for the 'config' parameter in the 'apply_settings' function.
🧯 If You Can't Patch
- Disable the 'save_settings' endpoint if not required.
- Implement a web application firewall (WAF) to block path traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Check if the application version is below 9.5 and if the 'save_settings' endpoint is accessible.Check Version:
Check the version in the application's web interface or configuration files.Verify Fix Applied:
Verify the application version is 9.5 or higher and test the endpoint with malicious payloads to ensure rejection.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to '/save_settings' endpoint with JSON payloads containing path traversal patterns (e.g., '../').
- Configuration file modifications outside expected paths.
Network Indicators:
- HTTP requests with crafted JSON payloads targeting the vulnerable endpoint.
SIEM Query:
source="web_logs" AND uri="/save_settings" AND (payload LIKE "%..%" OR payload LIKE "%config%" AND payload LIKE "%path%")🔗 References
- https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2
- https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5
- https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2
- https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5
