CVE-2021–40662 Chamilo LMS 1.11.14 RCE

  • One-Click Technique: An Attacker who has a student account can create a malicious web page or a malicious SVG image file and upload the file to the “My Productions” section of the student profile page, then he can copy the URL of that file and send it to the Chamilo Admin User. When the Admin user loads the file in his browser with an active chamilo session, in the background it will upload a plugin (.zip file) to chamilo. Then the attacker can simply navigate to /plugin/exploited-directory/ and execute malicious commands.
  • “Zero Click” technique: In this case, the attacker abuses the “My Diplomas” feature and injects malicious javascript in it, and when the Admin visits the Attacker’s (student) profile page or Portfolio, the malicious javascript gets executed and the malicious plugin gets uploaded to the server. After that, the attacker can simply navigate to /plugin/exploit/ directory and execute the shell.php script and execute arbitrary commands. Advantages of this exploit: No need to upload a malicious file to /app/upload/users/ directory , No need to send a link or URL to the Admin. When the admin visits attacker’s profile, the attacker gets the RCE ;-) .

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Febin

Febin

CEH | CEH(Master) | eJPT | OSCP | CRTP |CyberSecurity Enthusiast | Security Researcher | Bug Hunter | Always seeks for knowledge