CVE-2019-5069
A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
Epignosis eFront LMS v5.2.12
https://www.efrontlearning.com/
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.
The following proof of concept demonstrates the issue:
POST /audiences/add/1 HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[IP]/audiences/add/1
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaa;
Upgrade-Insecure-Requests: 1
ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add
The following code is responsible for all observed unsafe unserializations:
205 public function set($property, $value, $type = null) {
206 // $this->$property translates to the variable name, for example $this->_name or $this->_address:
207 if ($value !== $this->$property) {
208 // The default type to check against is 'generic', which cuts off non-scalar values:
209 !empty($type) OR $type = 'generic';
210
211 if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
212 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
213 }
214
215 if ($value && $type == 'generic' && @unserialize($value) === false) {
216 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
217 } else if ($value && $type == 'wysiwig') {
218 $value = TemplateController::purify($value);
219 }
220
221 $this->$property = $value;
222 $this->_must_persist = true;
223 }
224
225 return $this;
226 }
Forms submitted to the following URLs were discovered to be vulnerable:
http://[IP]/Banners/add/1 [name parameter]
http://[IP]/Glossary/add/1 [term parameter]
http://[IP]/RandomDataPopulator/add/1 [name parameter]
http://[IP]/audiences/add/1 [name parameter]
http://[IP]/branches/add/1 [name parameter]
http://[IP]/categories/add/1 [name parameter]
http://[IP]/certificates/add/1 [name parameter]
http://[IP]/curriculums/add/1 [name parameter]
http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
http://[IP]/jobs/add/1 [name parameter]
http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
http://[IP]/reports/op/courses [filter_name parameter]
http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
http://[IP]/skills/add/1 [name parameter]
2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure
Discovered by Yuri Kramarz of Security Advisory EMEAR