ILIAS RCE Via PHP File Inclusion

Two vulnerabilities in the ILIAS learning management < 5.4.10 system were found which can be chained together to achieve remote code execution via an authenticated user.

Author: Holger Fuhrmannek

Vulnerability 1: Local PHP File Inclusion Via Import Of Personal Data

The ILIAS system has the feature to export and import personal data of a user via a zip file. The zip file contains a manifest.xml. It’s possible to trigger an inclusion and execution of a local php file via a manipulated manifest.xml. To achieve this the Component attribute of the ExportFile tag has to be manipulated e.g.:

<?xml version="1.0" encoding="utf-8"?>
<Manifest MainEntity="personal_data" Title="" TargetRelease="5.4.0" InstallationId="0" InstallationUrl="">
<ExportFile Component="../../../../../../../../../../<path to dir of local file>" 
Path="Services/User/set_1/export.xml"/>
</Manifest>

There are some constraints to the path of the imported file because e.g. something like “classes/class.il..Importer.php” will be automatically added.

Vulnerability 2: Information Leak of Data Directory Via Workspace Upload

An ILIAS user can upload and unpack a zip file via the “My Workspace” feature. An error can be triggered if file permissions are stored in the zip file so that ILIAS can’t delete the temporary zip content after uploading. Such a zip file can be for example created with the following commands:

mkdir -p /tmp/t/classes;
touch /tmp/t/classes/cantdelete;
chmod 555 /tmp/t/classes;
cd /tmp;
zip -r /tmp/test.zip ./t

If such a zip file is uploaded an error is triggered which shows the full path to the data directory e.g:

{"error":"unlink(\/var\/ILIASdata\/ILIAS\/default\/temp\/tmp5e247b72a3067\/t\/classes\/cantdelete): 
Permission denied","debug":null}

This works even if the php setting display_errors is set to Off and the error_reporting value is set to the recommended settings (E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT).

The vulnerabilities can be chained together to achieve remote code execution. The path to the data directory is very helpful to exploit the file inclusion issue.