CVE-2024–24350: e-Sic Livre <= 2.0 Authenticated File Upload leads to Remote Code Execution (RCE)

e-Sic livre is a open-source citizen service system, aiming to comply with Brazil’s Access to Information Law. It is software widely used by Brazilian government entities.

Some flaws such as XSS and SQL Injection have already been discovered in this same product by other researchers.

Despite being an authenticated failure, it is easy to create a login in the system, you only need to access /cadastro/ and fill in the data to complete registration.

To exploit this flaw you need to go to /solicitacao/ and create a new citizen request.

The flaw occurs in the solicitacao/upload.php file.

Understanding the Code

Code 1

The back-end validates the mime-type only, instead of validating the file extension.

Uploading a file with an allowed mime-type even with a dangerous extension

The Content-Type must be “application/pdf” or “image/jpeg” or the exploitation won’t work.

This system allows the administrator to select the file upload path, ex. (“/var/www/html/uploads”), this information will be stored in the database.

If exploitation failed, file upload directory stored in the database might be wrong. You should try to fix this at /restrito/.

Exploitation now complete, go to /acompanhamento/ to return your exploit filename.

Exploitation complete

During our research, e-Sic Livre showed up as an old an unsafe software, if you are using it in your web application, we advise you to uninstall it immediately.

All the best, Enkrypta Research