CVE-2024-44849 - Unauthenticated RCE trough Unrestricted File Upload
CVE-2024-44849 - CRITICAL Unauthenticated RCE trough Unrestricted File Upload (<= Qualitor 8.24)
Last updated
CVE-2024-44849 - CRITICAL Unauthenticated RCE trough Unrestricted File Upload (<= Qualitor 8.24)
Last updated
Before we move on to the technical details, it is important to understand what a CVE is. I have written a brief summary in the text below, in case you would like to know a little more.
Qualitor is an ITSM software offered in the B2B (Business-To-Business) model. This means that other companies purchase the "Qualitor ITSM" license from the company "Qualitor Software e Servicos de Informatica S/A".
Qualitor ITSM has a large market share in Rio Grande do Sul, which is the 6th largest state in Brazil, and it is normally hosted on-premises, and deployment can be done by the Qualitor team for a small service fee.
Some time ago, I was creating new dorks to use in the Bug Bounty programs, when I found an exposed web server with Directory Listing enabled:
By accessing this server, it was possible to identify a exposed .git directory:
You can learn more about git common weakness in the HackTricks book.
Exploring the exposed directory, I identified cleartext credentials that could be used to gain access to the Qualitor ITSM source code:
Using the same exposed URL with credentials, it was possible to obtain access to the Qualitor ITSM source code:
The risks of exposing this credential may result in the identification of vulnerabilities through source code analysis, theft of intellectual property, or unfair competition in the market.
Since this is an ITSM, users are expected to be able to attach files to tickets, so I looked for a file that had file upload functions. When I found a file, I compared it with another random ITSM file, where I identified that this PHP file for file uploads did not have any access control mechanisms:
After identifying the absence of access control mechanisms, I discovered that a file upload algorithm vulnerable due to a lack of restrictions based on file heuristics or characteristics:
This flaw allows an attacker to upload any file type to the server without validation, posing a significant security risk. Without proper checks in place, an attacker could potentially upload malicious files (such as scripts or executables) that can later be executed or abused, leading to unauthorized access, privilege escalation, or code execution.
Now, let's see how this vulnerability arises in more technical details:
Line 12: $tempFile = $_FILES['fleArquivo']['tmp_name'];
This line stores the temporary path of the uploaded file. At this point, no validation is performed to check the type, content, or integrity of the file, making it the first point where improper handling begins.
Line 113: $storeFolder = $_REQUEST['nmdiretoriorede']."/" . $_FILES['fleArquivo']['name'];
Here, the destination path for the file is constructed, directly using user-provided input ($_REQUEST['nmdiretoriorede']
) and the original file name without any sanitation. This can lead to directory traversal attacks or file overwrites if not properly secured.
Line 115: $retorno = move_uploaded_file($tempFile, $storeFolder);
This function moves the file from its temporary location to the final destination on the server. Since no validation was performed before this, any file type, including potentially dangerous files, could be successfully uploaded to the server.
To demonstrate the impact of this vulnerability in a practical way, I developed an exploit capable of automatically exploiting it and gaining access to a terminal within any host with Qualitor, without any type of authentication:
Also available on GitHub: https://github.com/extencil/CVE-2024-44849
As of this moment, I have not received a formal response from the Qualitor team to mitigate this vulnerability.
However, you can TEMPORARILY mitigate this vulnerability by adding the code below to the checkAcesso.php
file:
Before (without fix) ❌❌❌:
After (with fix) ✅✅✅:
The code above imports Qualitor's native access control component, which is responsible for checking only if the user is authenticated, but authenticated users can still exploit this vulnerability (regular user, without admin permissions).
This is not and should not be considered a definitive fix, but it is the most I can do to help protect your infrastructure until there is a formal response from the Qualitor team.
This vulnerability was not cataloged by MITRE at the time I identified it. This vulnerability was identified in June 2024 and immediately reported to the company through several channels:
LinkedIn: I contacted the IT and Infrastructure coordinators, no response.
WhatsApp: I contacted the support team via Qualitor's corporate number, no response (they only respond to WhatsApp for their customers)
E-mail: I sent e-mails to the contact addresses registered in Registro.BR's national whois database, but I also received no response.
Timeline in format: MM-DD-YYYY (Month, Day, Year)
I would like to thank my friends for their suggestions for registering this CVE.
Musa Attalah from NAVA;
Messede from The Hackers Choice;
Skyper from The Hackers Choice;
Clonazepunk from The Hackers Choice.