CVE-2024-24122

Vulnerability

A remote code execution vulnerability exists in Wanxing Technology's Yitu Project Management Software version 3.2.2 [1][2]. The exp.adpx project file is actually a ZIP compressed archive. By crafting a special file name inside this archive, an attacker can cause the software to decompress a file into an unexpected path, specifically the system startup folder [1].

Exploitation

An attacker must convince a user to open a malicious .adpx project file, either by direct download or as an email attachment [1]. No authentication or special privileges are required beyond standard user access. Once the user opens the file, the software decompresses the archive. Because the archive contains a file with a specially crafted name (e.g., using path traversal), the extracted file is written to the Windows startup folder (shell:startup) [1]. The attacker can embed any executable, such as calc.exe, as a proof of concept [1].

Impact

Upon successful exploitation, the attacker places an arbitrary executable into the system startup folder. When the system is restarted (either by the user or through other means), the executable runs automatically with the privileges of the logged-in user [1]. This can lead to arbitrary code execution, persistent access, and further compromise of the affected system.

Mitigation

As of the publication date (2024-10-02), no official patch or fixed version has been released by Wanxing Technology for Yitu Project Management Software 3.2.2 [1][2]. Users should avoid opening .adpx files from untrusted sources. Until a fix is available, the only mitigation is to restrict execution of the software or apply file access controls on the startup folder.