NesterSoft WorkTime OS Command Injection Vulnerability Allowing Server Takeover

A command injection vulnerability has been identified in NesterSoft WorkTime versions through 11.8.8. An unauthenticated attacker can exploit this vulnerability by injecting operating system commands into a server API endpoint. The injection occurs in the 'guid' parameter of the API call used to generate and download the WorkTime client from the server. Exploitation of this vulnerability allows the attacker to execute arbitrary commands on the WorkTime server with the highest privileges, as the commands are executed as NT Authority\SYSTEM. This unauthorized access could lead to manipulation of sensitive data and complete control over the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the WorkTime server with NT Authority\SYSTEM privileges, enabling an attacker to access, manipulate sensitive data, and take over the entire server.

Reproduction

To reproduce this vulnerability, send a request to the server API endpoint that generates and downloads the WorkTime client. Include a command injection payload in the 'guid' parameter. The injected command will be executed on the server as NT Authority\SYSTEM.