EfroTech TimeTrax Remote Code Execution Vulnerability in Leave Management Module

A remote code execution vulnerability has been identified in EfroTech TimeTrax version 1.0. The issue arises in the Leave Request form within the Attendance module, where inadequate server-side validation of file uploads allows authenticated users to submit malicious .asp files disguised as .txt files. This exploitation can lead to the execution of arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential for privilege escalation to SYSTEM level using the EfsPotato technique.

Reproduction

To reproduce this vulnerability, log into TimeTrax with valid credentials and navigate to the Leave Request form in the Attendance module. Upload a .txt file and intercept the request using Burp Suite. Change the file extension from .txt to .asp and forward the modified request. Once the file is uploaded, access the provided URL to execute the malicious web shell.

Remediation

Users are advised to validate and sanitize file uploads properly, restrict the SeImpersonatePrivilege to necessary accounts, and apply OS patches to mitigate the EfsPotato exploit.