Hunesion i-oneNet 3.0.7 Unrestricted Upload of File with Dangerous Type Vulnerability

Summary

In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the specific upload web module doesn’t verify the file extension and type, and an attacker can upload a web shell. After the web shell upload, an attacker can use the web shell to perform remote code execution such as running a system command.

Credit:

The information has been provided by KrCERT/CC

The original article can be found at:

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35073


Details

The specific upload web module doesn’t verify the file extension and type, and an attacker can upload a webshell. After the webshell upload, attacker can use the webshell to perform remote code exection such as running a system command.

Vulnerable Systems:

Hunesion i-oneNet 3.0.7 to 3.0.53

Hunesion i-oneNet 4.0.4 to 4.0.16

CVE Information:

CVE-2019-12803

Disclosure Timeline:
Published Date:07/16/2019