CVE-2024-55215
📋 TL;DR
An unauthenticated remote attacker can exploit the /auth/register initialization interface in Trojan versions 2.0.0 through 2.15.3 to escalate privileges and gain unauthorized access. This affects all systems running vulnerable Trojan server configurations, particularly those exposed to untrusted networks.
💻 Affected Systems
- Trojan
📦 What is this software?
Trojan by Jrohy
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attacker gains administrative control over the Trojan server, potentially pivoting to other systems in the network.
Likely Case
Unauthorized access to Trojan management interface allowing attacker to create/manage users, modify configurations, or intercept traffic.
If Mitigated
Limited impact if interface is properly firewalled or access-controlled, though the vulnerability remains present.
🎯 Exploit Status
Public proof-of-concept exists on GitHub. Exploitation requires network access to the vulnerable endpoint but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.4 or later
Vendor Advisory: https://github.com/trojan-gfw/trojan
Restart Required: Yes
Instructions:
1. Update Trojan to version 2.15.4 or later. 2. Stop the Trojan service. 3. Replace the binary with the patched version. 4. Restart the Trojan service.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to the Trojan server's management interface using firewall rules.
iptables -A INPUT -p tcp --dport [TROJAN_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [TROJAN_PORT] -j DROP
Disable Registration Interface
allIf not needed, disable or remove the /auth/register endpoint from the Trojan configuration.
Edit Trojan config file to remove or comment out registration-related settings
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block all external access to Trojan management interfaces.
- Monitor network traffic to the Trojan server for unauthorized access attempts to the /auth/register endpoint.
🔍 How to Verify
Check if Vulnerable:
Check Trojan version with 'trojan --version' and verify if it's between 2.0.0 and 2.15.3 inclusive.Check Version:
trojan --versionVerify Fix Applied:
Confirm version is 2.15.4 or later with 'trojan --version' and test that /auth/register endpoint no longer allows unauthorized privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /auth/register endpoint
- Unexpected user creation or privilege changes in Trojan logs
Network Indicators:
- HTTP POST requests to /auth/register from untrusted sources
- Unusual traffic patterns to Trojan management port
SIEM Query:
source="trojan.log" AND (uri="/auth/register" OR event="register" OR event="privilege")