[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [Full Disclosure] CVE-2024-22903: Unpatched Command Injection in Vinchin Backup & Recovery Versions 7.2 and Earlier

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] [Full Disclosure] CVE-2024-22903: Unpatched Command Injection in Vinchin Backup & Recovery Versions 7.2 and Earlier
From: Valentin Lobstein via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Thu, 25 Jan 2024 19:23:30 +0000

CVE ID: CVE-2024-22903

Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin 
Backup & Recovery Versions 7.2 and Earlier

Description:
A significant security vulnerability, CVE-2024-22903, has been identified in 
the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of 
Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This 
function, designed to delete APK files, is prone to a command injection 
vulnerability due to improper handling of input parameters.

Function Analysis:
- The function extracts `md5` and `file_name` parameters from user input.
- It includes a check for an empty `file_name`, but lacks adequate validation 
or sanitization for the input used in constructing system commands.
- The command to delete the specified APK file, built using the `file_name` 
parameter, is executed via the `exec` function, leading to a security 
vulnerability.

Exploitation Risk:
Attackers can exploit this flaw by inserting malicious commands in the 
`file_name` parameter. When this parameter is processed by the vulnerable 
function, the injected commands are executed on the server, presenting a severe 
risk of unauthorized access or control.

Current Status:
As of the latest information, there is no known patch available for this 
vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.

Recommendation:
Users are urged to be vigilant and to monitor Vinchin for any security updates. 
Until a patch is released, implementing additional security controls and 
closely monitoring system activity is crucial for mitigating the risk posed by 
this vulnerability.

Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] [Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier
Next by Date: [FD] APPLE-SA-01-22-2024-1 Safari 17.3
Previous by thread: [FD] [Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier
Next by thread: [FD] APPLE-SA-01-22-2024-1 Safari 17.3
Index(es):
- Date
- Thread