How I found Bug in TM.COM.MY LiveChat Arbitrary File Upload CWE-434 [Fix] | Ungku Nazmi

How I found Bug in TM.COM.MY LiveChat Arbitrary File Upload CWE-434 [Fix]

Published on | Classified in | heat

Be yourself use your brain

[Preface]

lately the internet at my house has been quite slow, so I wanted to make a report to TM on the TM live chat website, I accidentally found the upload button,browsing to the web and I able to upload Picture. I wondered, I wonder, I am wondering…Could I hack it???

TM LiveChat bug

TM LiveChat

TM LiveChat Home Page

[Risk Factors]

Technical Impact: Execute Unauthorized Code or Commands Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for .asp and .php extensions uploaded to web servers because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.

[Getting Started]

I connected the website to my computer and right away jumped onto the research. 

1

2

3


Access : live****.tm.com.my

 CWE-434 Vulnerabilities

Vuln : live****.tm.com.my

Unsurprisingly, looks like all we got to work with the web server. Off we go then.

Browsing to the website presents Register form to start live chat

The register form allow me to insert any fake infos. and able to access the live chat

[Hacking Time]

Initially, At first, I can register fake information to access the live chat dashboard, I am greeted well by the chat bot, lol xD. and found the upload button which is upload a picture, can I bypass it?

TM LiveChat

TM LiveChat Upload Bypass

Unfortunately, ,I am able to Upload Shell, client-side validation was applied due to Arbitrary File Upload CWE-434 functionality allow attacker to Upload without authentication.

[Affected Component]

Upload functionality

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Concluding]

Mission accomplished! Full Upload Bypassed to get Access into thier system.

Since people have been asking, the bug had already been fixed.CWE-434

[DISCLAIMER]

This Bug I've report to MyCert Team January 05 2023

Anything u learned from the Blog just for research and educational purposes only Do not use the knowledge for illegal things.


Sorry about my english, is so bad😅
If you have any questions or suggestions, make sure to hit me in any of these mediums or the comments.
Thanks for reading.