Listen to this Post
The vulnerability exists in ConnectWise ScreenConnect versions 23.9.7 and earlier due to improper sanitization of user-supplied input in file path parameters. An authenticated attacker with low-privileged access (e.g., a guest or technician role) can exploit a path traversal flaw by injecting “../” sequences into requests targeting the /Relay/FileTransfer or /SetupWizard/FileUpload endpoints. The application fails to validate the base directory, allowing the attacker to navigate outside the intended web root. By chaining this with write capabilities, the attacker can upload a malicious ASPX or PHP file (depending on the underlying OS) into a directory that is later executed by the server. Specifically, the SetupWizard component allows file writes to the App_Data folder; via path traversal, the attacker can redirect the payload to the web root (e.g., ../../ScreenConnect/UserFiles/). Once uploaded, the attacker triggers execution by sending an HTTP GET request to the uploaded file. This bypasses any authentication checks for static files. Successful exploitation grants remote code execution with the privileges of the ScreenConnect service (typically NETWORK SERVICE or SYSTEM). The CVSS vector indicates high complexity due to required high privileges and user interaction? However, the actual exploit works with low-privilege accounts in default configurations. The path traversal also enables reading sensitive configuration files, including database credentials and license keys, leading to further compromise.
Platform: Windows, Linux
Version: 23.9.7 prior
Vulnerability: Path traversal RCE
Severity: High
date: 2024-02-21
Prediction: 2024-03-20
What Undercode Say:
Analytics: Exploit attempts spike after public disclosure (2024-02-22). Observed traffic patterns show URI traversal strings (%2e%2e%2f). Use grep on IIS/WAF logs:
sudo grep -E "..[\/]" /var/log/nginx/access.log | wc -l
Detection command for ScreenConnect-specific paths:
find /path/to/ScreenConnect/Logs -name ".log" -exec grep -H "../" {} \;
Hunting with Splunk:
index=main uri_path="/SetupWizard/FileUpload" AND form_data=".."
Patch validation script:
powershell -Command "(Get-ItemProperty 'C:\Program Files\ScreenConnect\Server\Web.config').VersionInfo.FileVersion"
If version < 23.9.8, vulnerable.
Exploit:
Authenticated session cookie required. Send multipart POST to `/SetupWizard/FileUpload?path=../../ScreenConnect/UserFiles/cmd.aspx` with ASPX webshell payload. Then request https://target/ScreenConnect/UserFiles/cmd.aspx?cmd=whoami`...
<h2 style="color: blue;">Protection from this CVE:</h2>
Immediately patch to version 23.9.8 or later. Restrict network access to ScreenConnect administrative interfaces. Implement WAF rules blocking,%2e%2e%2f`, and `%252e` sequences. Disable SetupWizard component if not needed. Enforce least privilege for service account (run as NetworkService, not SYSTEM). Monitor for anomalous file uploads to `UserFiles` and `App_Data` folders.
Impact:
Remote code execution leading to full server compromise. Attackers can install ransomware, exfiltrate RMM credentials, and pivot to managed endpoints. Confidentiality, integrity, and availability are all impacted (CIA high). Unpatched versions in thousands of MSP environments enable supply-chain attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
