Improper permission management leads to privilege escalation in Chamilo LMS

Security for Newbie VSEC - BLOG

Introduction:

On April 22, 2020, I wanted to find a CVE for myself and after some searching, I chose Chamilo LMS. This is the second vulnerability I found in Chamilo LMS 1.11.10. I had high hopes for this vulnerability to be given a high score, but the outcome was that Chamilo didn’t know how to assign a CVE to me, so sad :3

I typically write my blogs with a cheerful and playful style, but today I’ll attempt to write like a thoughtful young man. It’s enough to ramble like a madman, let’s exploit.

 

Environment:

Version tested: Chamilo LMS 1.11.10 for PHP 7.3.

Web server: Apache webserver-Apache/2.4.41 (Debian).

Issue: Allow users with Sessions administrator privileges the ability to create new users with administrator rights.

 

PoC:

Step 1: Log in with the ‘abcd’ account, endowed with Sessions administrator rights.

Step 2: Create a new user named ‘654’.

Step 3: Click on button to edit ‘654’.

Step 4: Launch Burp Suite and click “Save.” Then, proceed to modify the request body as follows:

Step 5: Log in to the ‘654’ account. BOOM!! Now, ‘654’ is an administrator.

Okay, done!

At the end of the blog, I want to express my gratitude to my new friend, Hoang Kien. He has helped me a lot during the exploitation of this vulnerability.