The ‘audioFile’ parameter of the /quicklert/albumimages.jsp web form in Quicklert for Digium Switchvox Version 10 Build 1043 is vulnerable to arbitrary file upload. This vulnerability allows authenticated (low privilege) attackers to upload malicious files to the server which are then executed when called by the media viewer within the web application. The exploitation of this vulnerability resulted in a complete compromise to the confidentiality, integrity, and availability of the server and served as a jump point into the victim’s DMZ.
After being authenticated, we first navigated to the /quicklert/album.jsp page, which allowed us to add a new media album to our test account. After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.
Figure 1: Quicklert Album “Test” Created
After creating the new album, we were then able to upload new media files via the /quicklert/albumimages.jsp web form.
Figure 2: Quicklert Album File Upload
We then created a Java reverse shell utilizing msfvenom. This payload was saved as “reverse.mp3”
We then uploaded the reverse.mp3 file via /quicklert/albumimages.jsp while the interceptor functionality of Burp Suite proxy was running. This allowed us to capture the POST request and make the following modifications:
We renamed the filename from “reverse.mp3” to “reverse.mp3;.jsp”. This ensures that the server recognizes the Java reverse shell as a valid JSP file while bypassing any file extension validations the web application had in place.
Additionally, we added a small piece of the byte-stream from a valid mp3 file by “catting” the file and then pasting the results above the current payload in Burp Suite.
After making these modifications, we released the intercepted request to allow it to POST the payload to the server. All of this is illustrated below:
Figure 3: File Upload POST Request Captured in Burp Suite Before Modifications
Figure 4: File Upload POST Request Captured in Burp Suite After Modifications
After the file was posted on the server, we started a Meterpreter listener and then accessed the “reverse.mp3;.jsp” payload on the server. The server interpreted the Java file correctly and created a reverse connection back to us, ultimately resulting in a complete takeover of the server within the victim’s DMZ.
Figure 5: “Test” Album After “reverse.mp3;.jsp” is uploaded
Figure 6: Resulting Web Page After Clicking “reverse.mp3;.jsp” and the Server Attempts to Open the Java Payload as an MP3 File
Figure 7: Meterpreter Reverse Shell Opened in Metasploit Resulting in System Takeover After Clicking “reverse.mp3;.jsp”
There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.
Quicklert added file-type validation to the i.Album feature within the application to prevent uploading of potentially malicious file types.