Detect Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload in Google Chronicle
Detects exploitation of CVE-2024-7399, a path traversal and unrestricted file upload vulnerability in Samsung MagicINFO 9 Server. Successful exploitation allows unauthenticated or low-privileged attackers to upload arbitrary files outside the intended directory, potentially leading to remote code execution. This CVE is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule cve_2024_7399_magicinfo_path_traversal {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-7399 exploitation: path traversal and file upload against Samsung MagicINFO 9 Server"
severity = "CRITICAL"
priority = "HIGH"
cve = "CVE-2024-7399"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-7399"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.target.port in (80, 443, 8080, 7001, 8088)
(
re.regex($e.network.http.referral_url, `\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e%2e%5c`) or
re.regex($e.target.url, `\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e%2e%5c`) or
re.regex($e.target.url, `(?i)magicinfo`) or
(
$e.network.http.method = "POST" and
re.regex($e.target.url, `(?i)\.(jsp|jspx|aspx|php|war|sh)$`)
)
)
match:
$e.principal.ip over 5m
outcome:
$risk_score = 85
$src_ip = array_distinct($e.principal.ip)
$dst_ip = array_distinct($e.target.ip)
$urls = array_distinct($e.target.url)
$event_count = count($e.metadata.id)
condition:
#e > 2
}Chronicle YARA-L 2.0 rule detecting path traversal sequences and suspicious file upload requests to Samsung MagicINFO 9 Server ports with a 5-minute correlation window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate MagicINFO server administration via encoded API paths
- Authorized red team operations targeting MagicINFO infrastructure
- Proxy servers that normalize and re-encode URLs before forwarding to MagicINFO
Other platforms for CVE-2024-7399
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-7399 Path Traversal Directory Enumeration
Expected signal: Web access logs show GET requests with '../', '%2e%2e%2f', or '..%2f' in the URI path targeting MagicINFO endpoints. Network monitoring captures HTTP requests to port 8080 with traversal sequences.
- Test 2CVE-2024-7399 Web Shell Upload via Path Traversal
Expected signal: IIS or servlet container logs show POST request to upload endpoint with path traversal in query parameter. Filesystem monitoring detects new .jsp file created in webroot. Process monitoring may show java.exe or tomcat process writing to unexpected directory.
- Test 3CVE-2024-7399 Web Shell Execution Verification
Expected signal: Access logs show GET request to the uploaded shell path returning HTTP 200. EDR/process monitoring captures cmd.exe, sh, or powershell.exe spawned as a child of the Java/Tomcat process. Network connections from MagicINFO server process to external IPs if a reverse shell payload is used.
Unlock Pro Content
Get the full detection package for CVE-2024-7399 including response playbook, investigation guide, and atomic red team tests.