Source: cna@vuldb.com
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Dromara UJCMS 10.0.2 is vulnerable to a critical remote code injection (RCE) vulnerability. Attackers can exploit the importChanel function to inject malicious code via crafted input, potentially leading to complete system compromise. The vendor has failed to address the vulnerability, and a public exploit is available, making this a high-priority threat.
Step 1: Payload Delivery: The attacker crafts a malicious payload, specifically targeting the driverClassName or url parameters within the importChanel function. This payload contains malicious code, such as a reverse shell or a command to download and execute a malicious script.
Step 2: Request Submission: The attacker submits the crafted payload via a specially crafted HTTP request to the /api/backend/ext/import-data/import-channel endpoint.
Step 3: Vulnerable Function Execution: The importChanel function receives the malicious input and processes it. Due to the lack of proper input validation, the injected code is not sanitized or blocked.
Step 4: Code Execution: The application executes the injected code, granting the attacker control over the server. This could involve executing arbitrary commands, uploading malware, or gaining persistent access to the system.
The vulnerability lies within the importChanel function of the ImportDataController in Dromara UJCMS 10.0.2. The flaw stems from insufficient input validation and sanitization of the driverClassName and url arguments. Specifically, the application fails to properly validate user-supplied input before using it in a context where it is executed. This allows an attacker to inject arbitrary code, which is then executed by the system. The lack of proper input validation allows for the injection of malicious code, leading to remote code execution. The root cause is a failure to sanitize user-provided input before using it in a dynamic context, allowing for the execution of arbitrary code.
While no specific APT groups are explicitly linked to this CVE, the public availability of the exploit and the severity of the vulnerability make it attractive to various threat actors. This vulnerability could be leveraged by ransomware groups or nation-state actors. Not listed on CISA KEV at this time, but should be considered for inclusion due to the public exploit and lack of vendor response.
Monitor HTTP traffic for suspicious requests to /api/backend/ext/import-data/import-channel with unusual values in the driverClassName or url parameters.
Analyze server logs for unusual process executions or command invocations that originate from the web server.
Implement intrusion detection system (IDS) rules to identify malicious payloads based on known exploit patterns.
Monitor file system changes for the creation of suspicious files or modifications to existing files, especially those related to web server configuration or system binaries.
Network traffic analysis looking for outbound connections from the server to suspicious IP addresses or domains, indicative of a reverse shell or command-and-control communication.
Implement robust input validation and sanitization for the driverClassName and url parameters within the importChanel function. This should include whitelisting acceptable characters and formats and blacklisting known malicious patterns.
Apply the principle of least privilege. Ensure the web server process runs with the minimum necessary permissions.
Implement a Web Application Firewall (WAF) to filter malicious requests and block known exploit attempts.
Regularly update the UJCMS software to the latest version or apply any available security patches (though none are available in this case).
Conduct thorough penetration testing and vulnerability assessments to identify and address security weaknesses.
Isolate the affected server within the network to limit the impact of a successful exploit.