CVE-2022-25581 - Arbitrary File Upload Vulnerability in Classcms v2.5 and Below Leading to Code Injection Exploit

It has recently been discovered that Classcms v2.5 and below contains a critical security vulnerability (CVE-2022-25581) that could potentially allow an attacker to perform arbitrary file uploads and code injection. The component responsible for this vulnerability is \class\classupload. To demonstrate the severity of this issue, we will provide an analysis of the vulnerable code, links to original references, and details of the exploit.

Vulnerability Analysis

Classcms's \class\classupload component handles the file upload functionality. However, this component fails to properly validate the uploaded files, which allows an attacker to bypass restrictions and upload crafted files with malicious content. Specifically, an attacker can upload a .txt file containing executable code that could be run on the server, potentially compromising the security of the system.

Here is the snippet of the vulnerable code found in \class\classupload

public function Upload()
{
    // ...
    if (in_array($file['extension'], $denyExtension))
    {
        // ...
    }
    else
    {
        if (move_uploaded_file($file['tmp_name'], $uploadFilename))
        {
            // ...
        }
    }
}

As we can see, the code checks if the uploaded file extension is in the $denyExtension array. If not, it proceeds to move the uploaded file to the server. The problem is that the check does not account for files with .txt extension containing executable code.

Original References

The vulnerability was originally discovered and reported by a security researcher. You can read more about the discovery and other related information in the following links:
- CVE-2022-25581 Vulnerability Details
- Classcms v2.5 Security Advisory

To exploit this vulnerability, an attacker can follow these steps

1. Craft a .txt file containing executable code, such as a PHP web shell. For example, here's a simple .txt file containing PHP code:

<?php
system($_GET['cmd']);
?>

2. Utilize the Classcms file upload feature to upload the crafted .txt file to a server running Classcms v2.5 or below.

3. Once the file is uploaded, the attacker can execute arbitrary commands on the server by sending HTTP requests with the cmd parameter.

For instance, if the uploaded .txt file's URL is https://example.com/uploads/malicious.txt, an attacker could send a request such as https://example.com/uploads/malicious.txt?cmd=id to execute the id command on the server.

Mitigation

To prevent exploitation of this vulnerability, it is recommended to update Classcms to the latest version. The Classcms developers have released a patch addressing this issue in the newer release.

In addition, as a temporary countermeasure, server administrators could manually block .txt files containing executable code from being uploaded by adding stricter file type validation and ensuring that appropriate file permissions are set on the server.

We hope this long read will provide sufficient understanding of the CVE-2022-25581 vulnerability in Classcms v2.5 and below, along with the details required to mitigate the risk associated with the arbitrary file upload exploit.

Timeline

Published on: 03/18/2022 23:15:00 UTC
Last modified on: 03/28/2022 18:24:00 UTC