Aranda Service Desk Web Edition Remote Code Execution Vulnerability via Improper File Upload

A remote code execution vulnerability has been identified in Aranda Service Desk Web Edition (ASDK API 8.6). This issue allows authenticated attackers to execute arbitrary code on the server due to inadequate validation of uploaded files. An authenticated user can upload a manipulated web.config file by sending a crafted POST request to the file upload API endpoint. The ASP.NET runtime processes the uploaded file, which modifies the execution context of the upload directory. This alteration enables the compilation and execution of attacker-controlled code, such as creating an .aspx web shell, thereby facilitating remote command execution on the server. This vulnerability affects both On-Premise and SaaS deployments.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the application.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a crafted web.config file through the ASDK API v8.6 file upload endpoint. The uploaded file should be designed to enable detailed error messages and directory listing within the upload directory. After uploading the file, the same directory can be exploited by compiling and executing a payload, such as an .aspx web shell, which allows for remote command execution on the server.