CVE-2024-10120 Overview
A critical unrestricted file upload vulnerability has been discovered in wfh45678 Radar (Riskengine Radar) up to version 1.0.8. This vulnerability exists in the file upload functionality located at /services/v1/common/upload, where improper validation of the file argument allows attackers to upload arbitrary files to the server. Remote attackers can exploit this flaw without authentication to potentially execute malicious code on the affected system.
Critical Impact
Attackers can remotely upload malicious files to vulnerable Radar installations, potentially leading to remote code execution, server compromise, or further lateral movement within the network.
Affected Products
- Riskengine Radar versions up to and including 1.0.8
- Systems running the vulnerable /services/v1/common/upload endpoint
Discovery Timeline
- 2024-10-18 - CVE-2024-10120 published to NVD
- 2024-10-30 - Last updated in NVD database
Technical Details for CVE-2024-10120
Vulnerability Analysis
This vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The affected endpoint /services/v1/common/upload fails to properly validate or restrict the types of files that can be uploaded through the file parameter. This lack of validation means attackers can upload executable files, web shells, or other malicious payloads directly to the server.
The exploit has been publicly disclosed, and documentation is available through external security resources. The vendor was contacted about this vulnerability prior to public disclosure but did not respond.
Root Cause
The root cause stems from insufficient input validation and file type restrictions in the upload handling code. The application does not implement proper checks for:
- File extension validation against an allowlist
- MIME type verification
- File content inspection (magic bytes validation)
- Filename sanitization to prevent path traversal
This allows any file type to be uploaded and potentially stored in a web-accessible directory.
Attack Vector
The attack can be initiated remotely over the network without requiring any authentication or user interaction. An attacker would typically:
- Identify a vulnerable Radar installation exposing the /services/v1/common/upload endpoint
- Craft a malicious file (such as a web shell or reverse shell payload)
- Submit a POST request to the upload endpoint with the malicious file attached to the file parameter
- Access the uploaded file to achieve code execution on the server
For technical details and proof-of-concept information, refer to the GitHub Vulnerability Documentation.
Detection Methods for CVE-2024-10120
Indicators of Compromise
- Unusual HTTP POST requests to /services/v1/common/upload endpoint, especially from external IP addresses
- Presence of unexpected file types in upload directories (e.g., .php, .jsp, .aspx, .sh files)
- Web shell signatures or executable files in web-accessible storage locations
- Anomalous outbound connections from the web server indicating potential reverse shell activity
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and block suspicious file upload attempts to the /services/v1/common/upload endpoint
- Deploy file integrity monitoring (FIM) on upload directories to detect unauthorized file creation
- Configure intrusion detection systems (IDS) to alert on common web shell signatures and malicious file patterns
- Review access logs for repeated upload attempts or requests from suspicious source IPs
Monitoring Recommendations
- Enable detailed logging for all file upload operations including source IP, filename, and file size
- Monitor for execution of newly uploaded files or scripts in upload directories
- Set up alerts for access to upload directories from unexpected user agents or geographic locations
- Implement anomaly detection for unusual file upload patterns or volumes
How to Mitigate CVE-2024-10120
Immediate Actions Required
- Restrict network access to the /services/v1/common/upload endpoint using firewall rules or access control lists
- Implement authentication requirements for the upload functionality if not already present
- Deploy WAF rules to block malicious file upload attempts
- Review and remove any suspicious files already present in upload directories
- Consider taking the vulnerable endpoint offline until a patch is available
Patch Information
At the time of this writing, no official patch has been released by the vendor. The vendor was contacted regarding this vulnerability but did not respond. Organizations should monitor the official Riskengine Radar project for security updates.
For additional vulnerability details and community discussion, see VulDB #280912.
Workarounds
- Implement server-side file type validation using an allowlist of permitted extensions and MIME types
- Configure the web server to prevent execution of scripts in upload directories
- Store uploaded files outside the web root or in a location that does not allow script execution
- Apply principle of least privilege to the upload directory permissions
- Use randomized filenames for uploaded files to prevent direct access
# Example: Disable script execution in upload directories (Apache)
<Directory /path/to/upload/directory>
Options -ExecCGI
AllowOverride None
RemoveHandler .php .phtml .php3 .php4 .php5 .phps
AddType text/plain .php .phtml .php3 .php4 .php5 .phps
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
