I DOC VIEW Frontend RCE - SpringKill

I DOC VIEW is an online document viewer. Due to improper handling in the /html/2word endpoint, an attacker can read arbitrary files remotely. By abusing this endpoint to make the server download and parse a malicious JSP, this can be escalated to RCE.

Affected Versions#

Versions before 20231115.

Source Code Analysis#

First, locate the vulnerable endpoint: ![image-20231124002943513](./I DOC VIEW 前台RCE/image-20231124002943513.png)

There is only one method inside the endpoint, toWord, so let’s see what it does: ![image-20231124002951105](./I DOC VIEW 前台RCE/image-20231124002951105.png)

Most of the early logic is not essential. The key part is a method that crawls a page, and it is also the only place where the url parameter is used: ![image-20231124002957766](./I DOC VIEW 前台RCE/image-20231124002957766.png)

Here it uses getPage to process obj. obj is a URL object created from the url parameter. One confusing thing is that the filename is forced to index.html, so we inspect getWebPage: ![image-20231124003004867](./I DOC VIEW 前台RCE/image-20231124003004867.png)

Up to this point it’s mostly file-writing logic, and it only writes index.html. The real issue comes next: the application appears to implement a crawler, so it calls GrabUtility.searchForNewFilesToGrab to further parse content. The conn here is the connection created earlier: ![image-20231124003010469](./I DOC VIEW 前台RCE/image-20231124003010469.png)

Inside GrabUtility.searchForNewFilesToGrab, it parses the response and collects URLs from link[href], script[src], and img[src], storing them into the member variable filesToGrab: ![image-20231124003017471](./I DOC VIEW 前台RCE/image-20231124003017471.png) ![image-20231124003025552](./I DOC VIEW 前台RCE/image-20231124003025552.png)

Then it performs the dangerous operation: it iterates over filesToGrab and tries to download each resource. It calls an overloaded GetWebPage method, using the same directory as before, while the filename is derived automatically: ![image-20231124003032209](./I DOC VIEW 前台RCE/image-20231124003032209.png) ![image-20231124003039291](./I DOC VIEW 前台RCE/image-20231124003039291.png)

At this point exploitation becomes straightforward:

The program only filters by extension. So as long as we avoid the blacklist extensions and combine it with path traversal, we can write arbitrary files.
The blacklist includes html, htm, php, asp, aspx, and net, but not jsp. So writing a JSP webshell is enough.

One more detail: because it takes the substring after / as the filename, we cannot use / for traversal. But the target is on Windows, so we can use \\ instead.

The exploit flow is:

Host a malicious server.
In index.html, include a href/img/script URL that points to the JSP payload.

(This also matches the advisory wording about “tricking” the server into downloading dangerous files.)

Reproduction#

The PoC is here: https://github.com/springkill/idocv_poc
Step-by-step notes below:

Craft the page: ![image-20231124003048041](./I DOC VIEW 前台RCE/image-20231124003048041.png)

Start a simple Python HTTP server and access it.

Then it got killed (thanks Huorong): ![image-20231124003055195](./I DOC VIEW 前台RCE/image-20231124003055195.png)

Disable Huorong (the service seems to cache, so change the port): ![image-20231124003100746](./I DOC VIEW 前台RCE/image-20231124003100746.png)

Test: ![image-20231124003109465](./I DOC VIEW 前台RCE/image-20231124003109465.png)

And don’t forget to turn Huorong back on afterwards.

Conclusion#

File operations are extremely sensitive—especially downloading files onto a server. Downloaded files should be stored in a fixed directory and must be protected against path traversal. The developer recognized the risk of downloading files, but the mitigation was incomplete, which led to this vulnerability.

Bonus#

I lost count of how many times I tried… ![image-20231124003114768](./I DOC VIEW 前台RCE/image-20231124003114768.png)