CVE-2024-40624
📋 TL;DR
This vulnerability in TorrentPier allows remote code execution by deserializing malicious cookies. Attackers can write arbitrary PHP files and execute system commands. All users running vulnerable versions are affected.
💻 Affected Systems
- TorrentPier
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to web server compromise, data theft, and potential ransomware deployment.
If Mitigated
Limited impact with proper network segmentation and minimal privileges, but still significant risk due to RCE capability.
🎯 Exploit Status
Exploit uses phpggc with Guzzle/FW1 chain. Attack requires sending malicious cookie to viewforum.php endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.4
Vendor Advisory: https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download TorrentPier 2.4.4 or later from official repository. 3. Replace all files with new version. 4. Verify commit ed37e6e52 is present in functions.php.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TorrentPier instance from critical systems
- Deploy web application firewall with rules to block suspicious cookie patterns and PHP serialization payloads
🔍 How to Verify
Check if Vulnerable:
Check if your TorrentPier version is below 2.4.4 by examining version files or checking if functions.php contains the vulnerable get_tracks() function with unserialize() calls.Check Version:
Check version.php or similar version files in the TorrentPier installation directory.Verify Fix Applied:
Verify commit ed37e6e52 is present in library/includes/functions.php and that unserialize() calls have been replaced with safer alternatives.📡 Detection & Monitoring
Log Indicators:
- Unusual cookie values in access logs, particularly for viewforum.php requests
- Unexpected file writes in web directory
- Suspicious PHP process execution
Network Indicators:
- HTTP requests with unusually long or encoded cookie values
- Traffic patterns matching phpggc payloads
SIEM Query:
source="web_access_logs" AND uri="*viewforum.php*" AND cookie="*bb_t=*" AND (cookie_length>1000 OR cookie MATCHES "*O:*")🔗 References
- https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
- https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
- https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
- https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
- https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
- https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
