← Advisories

QiHang Media Web (QH.aspx) Digital Signage 3.0.9 (pre-auth) Remote Code Execution

Critical
Advisory ID
ZSL-2020-5582
Release Date
13 August 2020
Vendor
Shenzhen Xingmeng Qihang Media Co., Ltd., Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com
Affected Version
3.0.9.0
CVE
N/A
Tested On
Microsoft Windows Server 2012 R2 Datacenter, Microsoft Windows Server 2003 Enterprise Edition, ASP.NET 4.0.30319, HowFor Web Server/5.6.0.0, Microsoft ASP.NET Web QiHang IIS Server
Summary

Digital Signage Software.

Description

The application suffers from an unauthenticated remote code execution. The vulnerability is caused due to lack of verification when uploading files with QH.aspx that can be written in any location by utilizing the 'remotePath' parameter to traverse through directories. Abusing the upload action and the 'fileToUpload' parameter, an unauthenticated attacker can exploit this to execute system commands by uploading a malicious ASPX script.

Proof of Concept
qhsignage_rce.htmlTXT
Disclosure Timeline
27.07.2020Vulnerability discovered.
28.07.2020Vendor contacted.
31.07.2020No response from the vendor.
10.08.2020Vendor contacted.
12.08.2020No response from the vendor.
13.08.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/158862/QiHang-Media-Web-Digital-Signage-3.0.9-Remote-Code-Execution.html
[2]https://cxsecurity.com/issue/WLB-2020080060
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/186771
[4]https://www.exploit-db.com/exploits/48751
Changelog
13.08.2020Initial release
14.08.2020Added reference [1] and [2]
16.08.2020Added reference [3]
18.08.2020Added reference [4]