Date: 2023-05-25
Discoverer: Alan Lacerda (ifundef)
Exploit Coder: Alan Lacerda (ifundef) | Yueslly Lisbooa (0xC4CTU$)
Mk-Auth Remote Command Execution (RCE) via Unrestricted Upload
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
It is possible to upload a crafted .htaccess files to the Virtual Disk. This vulnerability may be used to gain Remote Command Execution to the server.
The application does not allow .php files to be uploaded but, by sending a crafted .htaccess an attacker may instruct the server to use php interpreter to any other file extention (even a random one like *.labs).
CWE-434: Unrestricted Upload of File with Dangerous Type
Mk-Auth
MK-Auth <= 23.01K4.9
Virtual Disk
Remote
Yes
Any client of the Internet Service Provider that has access to the platform (to download billings and request for support) and has the Virtual Disk feature, may exploit this vulnerability.