Exploit for Unrestricted Upload of File with Dangerous Type in Chamilo Chamilo Lms CVE-2023-4220

Name: Exploit for Unrestricted Upload of File with Dangerous Type in Chamilo Chamilo Lms CVE-2023-4220
Rating: 5 (131 reviews)
2024-08-24 | CVSS 8.1
## https://sploitus.com/exploit?id=B9FBDFF3-02B6-5B4E-9BE4-4D9E10F0AD54
<h1 id="title" style="text-align: center;">
  CVE-2023-4220 PoC <br> Chamilo LMS Unauthenticated Big Upload File RCE
</h1>

This repository contains a Proof of Concept (PoC) for **CVE-2023-4220**, a Remote Code Execution (RCE) vulnerability affecting **Chamilo LMS**. This vulnerability allows unauthenticated attackers to exploit a large file upload feature, leading to arbitrary code execution on the server.

## Index
- [CVE-2023-4220 PoC - Chamilo LMS Unauthenticated Big Upload File RCE](#title)
  - [Index](#index)
  - [Vulnerability Details](#vulnerability-details)
  - [Disclaimer](#disclaimer)
  - [Abstract](#abstract)
    - [What is a LMS](#what-is-a-lms)
    - [What is Chamilo](#what-is-chamilo)
  - [Requirements](#requirements)
  - [Usage](#usage)
    - [Setup](#setup)
    - [Exploit Steps](#exploit-steps)
    - [Examples](#examples)
  - [Mitigation](#mitigation)
  - [References](#references)
  - [Authors](#authors)
  - [License](#license)

## Vulnerability Details

- **CVE ID**: CVE-2023-4220
- **CVSS Base Score:** 8.1
- **Vector String:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- **Vulnerability Type**: Remote Code Execution (RCE)
- **Affected Software**: Chamilo LMS <= 1.11.24
- **CVE Description**: The vulnerability exists due to insufficient validation during file upload in Chamilo LMS. An attacker can upload a large malicious file that gets executed by the server, leading to RCE. This flaw is exploitable without authentication.

## Disclaimer

> [!IMPORTANT]
> This repository is intended for educational purposes and lawful research only. Use this code responsibly and only on systems you have permission to test. The author assumes no liability for any damages caused by misuse of the information provided.

## Abstract

### What is a LMS
A learning management system is a software application or web-based technology used to plan, implement and assess a specific learning process. It's used for e-learning practices and, in its most common form, consists of two elements: a server that performs the base functionality and a user interface (UI) that is operated by instructors, students and administrators.

### What is Chamilo
Chamilo is an open-source PHP-based Learning Management System (LMS) that facilitates online education and training. It offers features such as course creation, content management, assessments, collaboration and delivering educational resources.

## Requirements

- Python 3.x
- `requests & argparse & time` libraries
- Vulnerable Chamilo LMS instance

> [!NOTE]
> This PoC has been tested using python 3.11.9, requests 2.32.3 and chamilo 1.11

## Usage

### Setup

1. **Clone the Repository:**

    Clone the repository and navigate into its directory.
    ```bash
    git clone https://github.com/VanishedPeople/CVE-2023-4220.git
    cd CVE-2023-4220
    ```
2. **Install the dependencies:**

    ```bash
    pip install -r requirements.txt
    ```

### Exploit Steps

1. **Identify Target**:
   Ensure you have the target Chamilo LMS instance that is vulnerable (affected version).

2. **Run the Exploit**:
   Execute the exploit script with the target's URL.

3. **Upload Malicious Payload**:
   The exploit script will upload a malicious file to the target Chamilo LMS instance by leveraging the big file upload feature.

4. **Trigger Remote Code Execution**:
   After the upload, the malicious file gets executed on the server, giving the attacker remote code execution capabilities.

5. **Outcome**:
   You should see a shell or the execution of commands on the server, depending on the payload and option used.

### Examples

Check if the LMS is vulnerable
```bash
python3 main.py --url <URL> -m check
```
Upload a [webshell](https://www.imperva.com/learn/application-security/web-shell/), leading to [RCE](https://www.cloudflare.com/learning/security/what-is-remote-code-execution)
```bash
python3 main.py --url <URL> --mode webshell
```

Spawning a reverse shell
```bash
python3 main.py --url <URL> --mode revshell
```
 
## Mitigation

To mitigate this vulnerability, ensure that the Chamilo LMS version is updated to the latest version where this issue is addressed. It is also recommended to implement strict validation and authentication for file uploads to avoid similar vulnerabilities.

## References

- [Official CVE Entry](https://vulners.com/cve/CVE-2023-4220)
- [Chamilo LMS Website](https://chamilo.org/)
- [Authorized target example](https://www.hackthebox.com/machines/permx)
- [Additional Information](https://starlabs.sg/advisories/23/23-4220/)

## Authors

- **mag4no10** - [Beacons Profile](https://beacons.ai/mag4no10)
- **NoexPenDev** - [Beacons Profile](https://beacons.ai/noexpendev)

## License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.