CVE-2024-56331 Scanner

CVE-2024-56331 Scanner - Local File Inclusion (LFI) vulnerability in Uptime Kuma

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

18 days 2 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Uptime Kuma is an open-source monitoring tool widely used by developers, system administrators, and DevOps engineers to monitor the uptime and availability of services. It provides customizable monitoring with real-time notifications and supports multiple protocols including HTTP(s), TCP, and ping. The platform is known for its modern user interface and ease of deployment in both self-hosted and cloud-based environments. Uptime Kuma is commonly integrated into CI/CD pipelines or internal monitoring systems for visibility into service health. Organizations prefer it for its open-source nature and community-driven development. It is often deployed on private servers or within internal networks for security monitoring.

The scanner targets a Local File Inclusion (LFI) vulnerability in Uptime Kuma. This flaw arises from improper URL handling in the "real-browser" feature, allowing malicious users to load local files via crafted URLs. The vulnerability can be exploited using the `file:///` scheme to access sensitive system files such as `/etc/passwd`. It is considered a critical issue due to the ease of exploitation and the potential for information disclosure. LFI vulnerabilities like this one may lead to full system compromise when chained with other bugs. It requires authentication but can be exploited via standard WebSocket connections. The issue is patched in version 1.23.16.

Technically, the vulnerability resides in how the "real-browser" feature processes user-supplied URLs. By sending WebSocket requests with the `file:///` prefix, attackers can trick the application into generating screenshots of arbitrary local files. The server fails to validate the supplied URLs, directly processing requests pointing to local paths. This vulnerability is triggered via a crafted WebSocket message using the `add` method with a target pointing to sensitive files like `/etc/passwd`. The attacker must be authenticated but does not require elevated privileges. The flaw can be confirmed by checking the response message confirming the successful addition of a malicious request. A sample matcher looks for the confirmation string in the application's response.

If exploited, attackers may gain unauthorized access to sensitive local files, including password configurations, SSH keys, or application secrets. This can lead to further compromise of the host system, including privilege escalation or lateral movement. Information disclosure may be used to assist in more targeted attacks. In shared hosting environments, other tenants may also be affected. It increases the attack surface significantly, especially in exposed internal tools. The impact may vary based on the permissions of the running service.

REFERENCES

Get started to protecting your digital assets