CVE-2023-4220 PoC
Chamilo LMS Unauthenticated Big Upload File RCE

This repository contains a Proof of Concept (PoC) for CVE-2023-4220, a Remote Code Execution (RCE) vulnerability affecting Chamilo LMS. This vulnerability allows unauthenticated attackers to exploit a large file upload feature, leading to arbitrary code execution on the server.

Index

• CVE-2023-4220 PoC - Chamilo LMS Unauthenticated Big Upload File RCE
  • Index
  • Vulnerability Details
  • Disclaimer
  • Abstract
    • What is a LMS
    • What is Chamilo
  • Requirements
  • Usage
    • Setup
    • Exploit Steps
    • Examples
  • Mitigation
  • References
  • Authors
  • License

Vulnerability Details

• CVE ID: CVE-2023-4220
• CVSS Base Score: 8.1
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
• Vulnerability Type: Remote Code Execution (RCE)
• Affected Software: Chamilo LMS <= 1.11.24
• CVE Description: The vulnerability exists due to insufficient validation during file upload in Chamilo LMS. An attacker can upload a large malicious file that gets executed by the server, leading to RCE. This flaw is exploitable without authentication.

Disclaimer

Important

This repository is intended for educational purposes and lawful research only. Use this code responsibly and only on systems you have permission to test. The author assumes no liability for any damages caused by misuse of the information provided.

Abstract

What is a LMS

A learning management system is a software application or web-based technology used to plan, implement and assess a specific learning process. It's used for e-learning practices and, in its most common form, consists of two elements: a server that performs the base functionality and a user interface (UI) that is operated by instructors, students and administrators.

What is Chamilo

Chamilo is an open-source PHP-based Learning Management System (LMS) that facilitates online education and training. It offers features such as course creation, content management, assessments, collaboration and delivering educational resources.

Requirements

• Python 3.x
• requests & argparse & time libraries
• Vulnerable Chamilo LMS instance

Note

This PoC has been tested using python 3.11.9, requests 2.32.3 and chamilo 1.11

Usage

Setup

1. Clone the Repository:

   Clone the repository and navigate into its directory.

   git clone https://github.com/VanishedPeople/CVE-2023-4220.git
   cd CVE-2023-4220

2. Install the dependencies:

   pip install -r requirements.txt

Exploit Steps

1. Identify Target: Ensure you have the target Chamilo LMS instance that is vulnerable (affected version).

2. Run the Exploit: Execute the exploit script with the target's URL.

3. Upload Malicious Payload: The exploit script will upload a malicious file to the target Chamilo LMS instance by leveraging the big file upload feature.

4. Trigger Remote Code Execution: After the upload, the malicious file gets executed on the server, giving the attacker remote code execution capabilities.

5. Outcome: You should see a shell or the execution of commands on the server, depending on the payload and option used.

Examples

Check if the LMS is vulnerable

python3 main.py --url <URL> -m check

Upload a webshell, leading to RCE

python3 main.py --url <URL> --mode webshell

Spawning a reverse shell

python3 main.py --url <URL> --mode revshell

Mitigation

To mitigate this vulnerability, ensure that the Chamilo LMS version is updated to the latest version where this issue is addressed. It is also recommended to implement strict validation and authentication for file uploads to avoid similar vulnerabilities.

References

• Official CVE Entry
• Chamilo LMS Website
• Authorized target example
• Additional Information

Authors

• mag4no10 - Beacons Profile
• NoexPenDev - Beacons Profile

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.