This exploit chain was first publicized by Horizon3.ai and while we found a small internet facing footprint, we believe the target is useful enough that exploitation in the wild is inevitable. The team developed Snort and Suricata rules for both CVE and an exploit that chains them together to achieve unauth RCE. The team also created a PCAP and developed Shodan, Censys, FOFA, ZoomEye, and GreyNoise queries.
This is a recent addition to the VulnCheck KEV, and Wordfence alleges they have blocked nearly 2 million attempts to use this vulnerability in the last 24 hours. The team developed an exploit for the LiteSpeed Cache WordPress plugin that takes advantage of an insecure hash generation vulnerability that LiteSpeed Cache utilizes for authorized site crawling. By identifying the hash that is generated once an attacker can make authorized queries against any administrative API with the litespeed_hash header set. The hash must be bruteforced, requiring between 1 and 1,000,000 requests to the server. The team provides PCAPs, Suricata, and Snort signatures, as well as Censys, Shodan, FOFA, and ZoomEye queries, and scanners with version checking.
We also believe that currently all other public PoCs do not properly implement the Mersenne twister random generator from PHP, meaning that the majority of exploits will not work. Our implementation uses a matched PRNG implementation that matches the PHP one and if the system is vulnerable will not give false negatives.
The team also developed an exploit for the CVE-2024-28000 variant that utilizes leaked debug logs when debug mode is enabled on LiteSpeed Cache. This vulnerability requires a non-default configuration but the team leveraged to land an exploit that achieves unauthenticated remote command injection. LiteSpeed Cache claims an active installation base of more than 6 million so it seems reasonable to assume there are vulnerable targets. The team again provided Snort and Suricata rules, pcaps, Censys, Shodan, FOFA, and ZoomEye queries as well as a YARA rule and version scanner.
The team updated all exploits to go-exploit 1.29.1 to fix an error in HTTPServeFile configuration. Additionally, the docker images for Confluence bugs were updated to pull in their verification code properly. Although not necessarily a bug, the team updated the Makefile to allow for smaller binaries, see the README.md for notes.
IP-Intel was updated to track Squid Proxy, Sercomm CPE routers, and Huawei HomeGateway/CPE routers.
The team is actively working on the Fortinet FortiManager CVE-2024-47575 vulnerability.