Vulnerability
BigAnt Server Version 5.6.06 suffers from Unrestricted Upload of File with Dangerous Type
Prerequisites
Exploit
Example 01: Cloud Disk
Users can upload files with malicious extensions, in this example .php, via the Cloud Disk add-in
By leveraging the 'Share File' feature, users can determine the path and file
Combined with improper Access control, users can find the path and file name to access
This can be used to gain remote code execution as system
Example 02: Broadcast
Users that have the ability to send Broadcasts, can upload files with malicious extensions, in this example .php
When viewing the details of the broadcast only shows the file
When viewing the source code it reveals the actual path of the file, which when combined with insecure access control can be accessed without authentication by any user to gain remote code execution as system
Timeline
12-01-2021: Submitted vulnerabilities to vendor via email
12-01-2021: Vendor responded asking for more details
12-02-2021: Responded to vendor with additional details
12-02-2021: Vendor responded stating looking into vulnerabilities
12-29-2021: Emailed vendor, no response
01-11-2022: Emailed vendor, no response
01-12-2022: Requested CVEs
01-28-2022: CVEs assigned, no response from vendor
02-26-2022: Emailed vendor, no response
03-21-2022: PoC/CVE published
Reference
MITRE CVE-2022-23346
BigAnt Software
Disclaimer
Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.







