Shandong Hoteam InforCenter PLM Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A critical vulnerability exists in Shandong Hoteam InforCenter PLM versions prior to 8.3.8. The issue arises in the uploadFileToIIS function within the /Base/BaseHandler.ashx file, where improper file extension validation allows for unrestricted file uploads. This vulnerability can be exploited remotely, without authentication, by sending a crafted multipart/form-data request to upload a malicious .aspx file containing a C# payload. Successful exploitation enables the execution of arbitrary system commands under the IIS process, potentially compromising the entire PLM server and exposing sensitive intellectual property and R&D data.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious code on the server. This could lead to a complete compromise of the PLM system, with the uploaded web shell being used to execute commands and potentially access or exfiltrate sensitive data.

Reproduction

To reproduce this vulnerability, confirm the presence of the /Base/BaseHandler.ashx interface on the target InforCenter PLM system. Then, use a tool like Burp Suite to send a POST request to the uploadFileToIIS function. Upload a file named sdfsdf.aspx containing a C# payload designed to execute the whoami command. If successful, the server will respond with a JSON object containing the uploaded file's URL. Navigating to this URL will confirm the execution of the command, demonstrating successful exploitation.