Shells on the File System: Dissecting CVE-2024-39943 in HFS
Vulnerability ID: CVE-2024-39943
CVSS Score: 9.9
Published: 2024-07-04
A critical OS Command Injection vulnerability in Rejetto HFS 3 allows authenticated attackers with upload permissions to execute arbitrary commands on the host server via the disk space check logic.
TL;DR
Rejetto HFS 3, the Node.js rewrite of the popular file server, contained a classic command injection flaw. By passing unsanitized user paths directly into a shell execution to check disk space (df command), attackers could break out of the command string and execute arbitrary code. Fixed in version 0.52.10 by switching from execSync to spawnSync.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78 (OS Command Injection)
- CVSS Score: 9.9 (Critical)
- Attack Vector: Network (Authenticated)
- EPSS Score: 0.7834 (High Probability)
- Impact: Remote Code Execution (RCE)
- Vulnerable Component: src/util-os.ts (getDiskSpaceSync)
Affected Systems
- Rejetto HFS 3 (Node.js version)
-
HFS 3: < 0.52.10 (Fixed in:
0.52.10)
Code Analysis
Commit: 305381b
fix: execSync replaced with spawnSync to prevent command injection
--- a/src/util-os.ts
+++ b/src/util-os.ts
- const out = try_(() => execSync(`df -k "${path}"`).toString(),
+ const out = try_(() => spawnSync('df', ['-k', path]).stdout.toString(),
Exploit Details
- GitHub: Discussion and PoC snippets related to the vulnerability in issue tracker.
Mitigation Strategies
- Update to HFS version 0.52.10 or later.
- Restrict network access to the HFS interface.
- Remove upload permissions from untrusted users.
Remediation Steps:
- Download the latest release from the official Rejetto HFS GitHub repository.
- Replace the existing HFS executable/script with the new version.
- Restart the HFS service.
- Verify the version number in the dashboard.
References
Read the full report for CVE-2024-39943 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)