Epignosis eFront LMS PHP deserialization code execution vulnerability

Summary

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

Tested Versions

Epignosis eFront LMS v5.2.12

Product URLs

<https://www.efrontlearning.com/&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Details

Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following proof of concept demonstrates the issue:

POST /audiences/add/1 HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[IP]/audiences/add/1
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaa;
Upgrade-Insecure-Requests: 1

ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add

The following code is responsible for all observed unsafe unserializations:

205     public function set($property, $value, $type = null) {
206         // $this->$property translates to the variable name, for example $this->_name or $this->_address:
207         if ($value !== $this->$property) {
208             // The default type to check against is 'generic', which cuts off non-scalar values:
209             !empty($type) OR $type = 'generic';
210
211             if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
212                 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
213             }
214
215             if ($value && $type == 'generic' && @unserialize($value) === false) {
216                 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
217             } else if ($value && $type == 'wysiwig') {
218                 $value = TemplateController::purify($value);
219             }
220
221             $this->$property = $value;
222             $this->_must_persist = true;
223         }
224
225         return $this;
226     }

Forms submitted to the following URLs were discovered to be vulnerable:

http://[IP]/Banners/add/1 [name parameter]
http://[IP]/Glossary/add/1 [term parameter]
http://[IP]/RandomDataPopulator/add/1 [name parameter]
http://[IP]/audiences/add/1 [name parameter]
http://[IP]/branches/add/1 [name parameter]
http://[IP]/categories/add/1 [name parameter]
http://[IP]/certificates/add/1 [name parameter]
http://[IP]/curriculums/add/1 [name parameter]
http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
http://[IP]/jobs/add/1 [name parameter]
http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
http://[IP]/reports/op/courses [filter_name parameter]
http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
http://[IP]/skills/add/1 [name parameter]

Timeline

2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure