Headline
CVE-2019-5069: TALOS-2019-0858 || Cisco Talos Intelligence Group
A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
Summary
A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
Tested Versions
Epignosis eFront LMS v5.2.12
Product URLs
https://www.efrontlearning.com/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-502 - Deserialization of Untrusted Data
Details
Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.
The following proof of concept demonstrates the issue:
POST /audiences/add/1 HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[IP]/audiences/add/1
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaa;
Upgrade-Insecure-Requests: 1
ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add
The following code is responsible for all observed unsafe unserializations:
205 public function set($property, $value, $type = null) {
206 // $this->$property translates to the variable name, for example $this->_name or $this->_address:
207 if ($value !== $this->$property) {
208 // The default type to check against is 'generic', which cuts off non-scalar values:
209 !empty($type) OR $type = 'generic';
210
211 if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
212 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
213 }
214
215 if ($value && $type == 'generic' && @unserialize($value) === false) {
216 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
217 } else if ($value && $type == 'wysiwig') {
218 $value = TemplateController::purify($value);
219 }
220
221 $this->$property = $value;
222 $this->_must_persist = true;
223 }
224
225 return $this;
226 }
Forms submitted to the following URLs were discovered to be vulnerable:
http://[IP]/Banners/add/1 [name parameter]
http://[IP]/Glossary/add/1 [term parameter]
http://[IP]/RandomDataPopulator/add/1 [name parameter]
http://[IP]/audiences/add/1 [name parameter]
http://[IP]/branches/add/1 [name parameter]
http://[IP]/categories/add/1 [name parameter]
http://[IP]/certificates/add/1 [name parameter]
http://[IP]/curriculums/add/1 [name parameter]
http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
http://[IP]/jobs/add/1 [name parameter]
http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
http://[IP]/reports/op/courses [filter_name parameter]
http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
http://[IP]/skills/add/1 [name parameter]
Timeline
2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure