Badaso 2.6.0 - Remote Command Execution
10
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Badaso 2.6.0 - RCE
Code name
State
Public
Release date
Oct 18, 2022
Affected product
Badaso
Affected version(s)
Version 2.6.0
Vulnerability name
Remote command execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
10.0
Exploit available
Yes
CVE ID(s)
Description
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
Vulnerability
This vulnerability occurs because the application does not correctly validate files uploaded by users. Thanks to this, we uploaded a file with malicious PHP code, instead of an image file.
Exploitation
To exploit this vulnerability, the following file must be sent to the server:
exploit.php
It is important to put an XML header before the malicious code to bypass security controls.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41711 to refer to this issue from now on. Disclosure policy
System Information
Version: Badaso 2.6.0
Operating System: GNU/Linux
Mitigation
An updated version of Badaso is available at the vendor page.
References
Timeline
Vulnerability discovered
Oct 5, 2022
Vendor Confirmed Vuln.
Oct 5, 2022
Vulnerability patched
Oct 11, 2022
Vendor contacted
Oct 5, 2022
Vendor replied
Oct 5, 2022
Public disclosure
Oct 18, 2022
