Badaso 2.6.3 - Remote Command Execution
10
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Badaso 2.6.3 - RCE
Code name
State
Public
Release date
Nov 16, 2022
Affected product
Badaso
Affected version(s)
Version 2.6.3
Vulnerability name
Remote command execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
10.0
Exploit available
Yes
CVE ID(s)
Description
Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
Vulnerability
This vulnerability occurs because the application does not correctly validate files uploaded by users. Thanks to this, we uploaded a file with malicious PHP code, instead of an image file.
Exploitation
To exploit this vulnerability, the following file must be sent to the server:
exploit.php
It is important to put an XML header before the malicious code to bypass security controls.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41705 to refer to this issue from now on. Disclosure policy
System Information
Version: Badaso 2.6.3
Operating System: GNU/Linux
Mitigation
An updated version of Badaso is available at the vendor page.
References
Timeline
Vulnerability discovered
Oct 24, 2022
Vendor Confirmed Vuln.
Oct 26, 2022
Vulnerability patched
Nov 15, 2022
Vendor contacted
Oct 24, 2022
Vendor replied
Oct 24, 2022
Public disclosure
Nov 16, 2022
