CVE-2021–40662 Chamilo LMS 1.11.14 RCE

Febin
2 min readMar 22, 2022

--

This is Febin, a Security Researcher. This article is about my third CVE that I got for finding a Remote Code Execution in a popular Learning Management Software named “Chamilo LMS”.

This is a chained exploit. First, I found a CSRF in the plugin upload feature which leads to Remote Code Execution which is then combined with a stored XSS to achieve Zero-click RCE.

XSS + CSRF + Malicious Plugin Upload = RCE. Boom!

Product Information: Chamilo is an e-learning platform, also called “LMS”, published under the GNU/GPLv3+ license. It has been used by more than 30M people worldwide since its inception in 2010.

Vendor Homepage: https://chamilo.org/en/

Disclosure Timeline:

July 27, 2021 — Contacted the vendor and reported the vulnerability

July 28, 2021 — Vendor replies back

August 2, 2021 — Vulnerability has been patched in version 1.11.16

March 21, 2022 — CVE ID was assigned. CVE-2021–40662

CVE Description: Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker’s profile page.

  • One-Click Technique: An Attacker who has a student account can create a malicious web page or a malicious SVG image file and upload the file to the “My Productions” section of the student profile page, then he can copy the URL of that file and send it to the Chamilo Admin User. When the Admin user loads the file in his browser with an active chamilo session, in the background it will upload a plugin (.zip file) to chamilo. Then the attacker can simply navigate to /plugin/exploited-directory/ and execute malicious commands.
  • “Zero Click” technique: In this case, the attacker abuses the “My Diplomas” feature and injects malicious javascript in it, and when the Admin visits the Attacker’s (student) profile page or Portfolio, the malicious javascript gets executed and the malicious plugin gets uploaded to the server. After that, the attacker can simply navigate to /plugin/exploit/ directory and execute the shell.php script and execute arbitrary commands. Advantages of this exploit: No need to upload a malicious file to /app/upload/users/ directory , No need to send a link or URL to the Admin. When the admin visits attacker’s profile, the attacker gets the RCE ;-) .

Reference: https://github.com/febinrev/CVE-2021-46398_Chamilo-LMS-RCE

Video Reference:

https://github.com/febinrev/CVE-2021-46398_Chamilo-LMS-RCE/raw/main/chamilo_csrf-rce_exploit.mp4

Exploit Code: https://raw.githubusercontent.com/febinrev/CVE-2021-46398_Chamilo-LMS-RCE/main/zero-click.ht

Remediation:

The Vulnerability has been patched from version 1.11.16

Thanks

--

--

Febin
Febin

Written by Febin

CEH | CEH(Master) | eJPT | OSCP | CRTP |CyberSecurity Enthusiast | Security Researcher | Bug Hunter | Always seeks for knowledge

No responses yet