Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

IntruderLabs ZirouDei Project

Date: 2023-05-25

Discoverer: Alan Lacerda (ifundef)

Exploit Coder: Alan Lacerda (ifundef) | Yueslly Lisbooa (0xC4CTU$)

Vulnerability

Mk-Auth Remote Command Execution (RCE) via Unrestricted Upload

Product Description

Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.

Vulnerability Description

It is possible to upload a crafted .htaccess files to the Virtual Disk. This vulnerability may be used to gain Remote Command Execution to the server.

Additional Information:

The application does not allow .php files to be uploaded but, by sending a crafted .htaccess an attacker may instruct the server to use php interpreter to any other file extention (even a random one like *.labs).

Vulnerability Type:

CWE-434: Unrestricted Upload of File with Dangerous Type

Vendor:

Mk-Auth

Affected Product:

MK-Auth <= 23.01K4.9

Affected Component:

Virtual Disk

Attack Vector:

Remote

Code Execution:

Yes

Attack Vector:

Any client of the Internet Service Provider that has access to the platform (to download billings and request for support) and has the Virtual Disk feature, may exploit this vulnerability.

Reference:

http://mk-auth.com.br/