Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

TCExam Multiple Vulnerabilities

Medium

Synopsis

Tenable has discovered multiple vulnerabilities in TCExam 14.2.2 on Ubuntu 18.04 with XAMPP 7.4.4-1.

A remote, unauthenticated attacker is able to gain administrative access to the application by exploiting cross-site scripting and cross-site request forgery vulnerabilities in combination.

CVE-2020-5743: Authenticated Insecure direct object reference /public/code/tce_popup_test_info.php

Insecure direct object reference in tce_popup_test_info.php allows for authenticated, low privileges student users (level 1 and above) to view test metadata for tests they don't have permission to access. The test ID can be specified in the HTTP GET parameter 'testid'.

For example, the start time, end time, test length, max score, points to pass the exam, etc are accessible.

Proof of Concept

CVE-2020-5744: Authenticated Directory Traversal / Arbitrary File Read /admin/code/tce_edit_backup.php

Directory traversal in tce_edit_backup.php allows for an authenticated user to read the contents of arbitrary files on disk. By default, the user must be level 10 (admin) and have permission to download backup files and exploit this vulnerability.

Specifically, the 'backup_file' HTTP POST parameter is not validated sufficiently. For example, the /etc/passwd file can be read by specifying multiple leading '../' sequences.

Code Snippet:

$file_to_download = K_PATH_BACKUP.$backup_file;
Proof of Concept

CVE-2020-5745: Cross-site Request Forgery (CSRF)

CSRF allows an unauthenticated attacker to forge application requests via crafted links or forms. An attacker could trick a legitimate user (e.g. admin) into clicking a link that would then fire off a valid application request for which the user has permission to perform.

For example, an admin could be tricked into granting the attacker admin privileges.

To edit a user this way using CSRF, we just need to know the user id. In my database, which should be the default setup, user id 1 is an anonymous user, and user id 2 is admin. Note that this works even if K_CHECK_SESSION_FINGERPRINT is true if the victim clicks the attacker's button in the same browser as the valid session.

This can also be used to change a random user's username and password (and anything else, e.g. the privilege level) by entering the values desired for username/pass/privilege level, etc. and choosing a random user_id (3 for example).

Proof of Concept

Please note that the IP address would have to be changed to target the “victim” TCExam application.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.0.206/tcexam-develop/admin/code/tce_edit_user.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="user&#95;id" value="2" />
      <input type="hidden" name="user&#95;name" value="admin" />
      <input type="hidden" name="user&#95;email" value="" />
      <input type="hidden" name="x&#95;user&#95;email" value="" />
      <input type="hidden" name="xl&#95;user&#95;email" value="email" />
      <input type="hidden" name="newpassword" value="newtest3" />
      <input type="hidden" name="x&#95;newpassword" value="" />
      <input type="hidden" name="xl&#95;newpassword" value="password" />
      <input type="hidden" name="newpassword&#95;repeat" value="newtest3" />
      <input type="hidden" name="DISABLED&#95;user&#95;regdate" value="2002&#45;04&#45;01&#32;01&#58;01&#58;01" />
      <input type="hidden" name="user&#95;regdate" value="2002&#45;02&#45;02&#32;01&#58;01&#58;01" />
      <input type="hidden" name="DISABLED&#95;user&#95;ip" value="" />
      <input type="hidden" name="user&#95;ip" value="" />
      <input type="hidden" name="user&#95;level" value="10" />
      <input type="hidden" name="user&#95;regnumber" value="" />
      <input type="hidden" name="user&#95;firstname" value="" />
      <input type="hidden" name="user&#95;lastname" value="" />
      <input type="hidden" name="user&#95;birthdate" value="" />
      <input type="hidden" name="x&#95;user&#95;birthdate" value="" />
      <input type="hidden" name="xl&#95;user&#95;birthdate" value="date&#32;of&#32;birth" />
      <input type="hidden" name="user&#95;birthplace" value="" />
      <input type="hidden" name="user&#95;ssn" value="" />
      <input type="hidden" name="user&#95;otpkey" value="" />
      <input type="hidden" name="confirmupdate" value="1" />
      <input type="hidden" name="update" value="update" />
      <input type="submit" value="Click me for free money" />
    </form>
  </body>
</html>

CVE-2020-5746: Authenticated Stored Cross-site Scripting (XSS) in index.php

Stored XSS allows an authenticated attacker (level 5+) to inject malicious JavaScript when creating tests. For example, a test can be created and assigned to all groups with the test name field filled with HTML script tags containing JavaScript. Upon login, this script will execute for all users assigned to a group. This includes the admin.

More specifically, in shared/code/tce_functions_test.php there’s a function F_testInfoLink($test_id, $link_name = “”) that is called with the unsanitized test name as the $link_name via index.php’s F_getUserTests() call.

Proof of Concept

CVE-2020-5747: Authenticated Stored Cross-site Scripting (XSS) in tce_test_allresults.php

Stored XSS allows an authenticated attacker to inject malicious JavaScript when creating tests. Operators (level 5) or higher can create a new test whose name contains Javascript script tags. In public/code/tce_test_allresults.php there’s a call to F_printTestResultStat() that is called with the unsanitized test name. This will be output without sanitization, causing the Javascript in the test name to execute whenever someone accesses public/code/tce_test_allresults.php and has access to results from a test with a crafted name. So, like previous, the test_name stores the XSS, but it’s executed differently.

Proof of Concept

CVE-2020-5748: Unauthenticated Stored Cross-site Scripting (XSS) in tce_edit_user.php

Stored XSS allows an unauthenticated attacker to inject malicious JavaScript when performing self-registration. Specifically, the username field can be crafted to contain HTML script tags.

When an admin updates or deletes a username containing Javascript tags in tce_edit_user.php, the Javascript will be executed due to a call to F_print_error() with the username passed as the second parameter, which displays the username without any sanitization.

Please note that F_print_error() is called with unsanitized user input in other locations (tce_edit_group.php, tce_edit_subject.php, tce_edit_module.php, tce_edit_test.php, and tce_edit_sslcerts.php) leading to the same issue.

Proof of Concept

CVE-2020-5749: Authenticated Stored Cross-site Scripting (XSS) in /admin/code/tce_edit_module.php

Stored XSS allows an authenticated attacker to inject malicious JavaScript when creating a group. Specifically, the group name can be crafted to contain HTML script tags. This group can then be assigned to other users. When a user with this group name (and operator or higher privileges) navigates to tce_edit_module.php, the malicious JavaScript will execute.

Code snippet:

367 while ($mg = F_db_fetch_array($rg)) {
368 echo ' · '.$mg['group_name'].'';
Proof of Concept

CVE-2020-5750: Unauthenticated Stored Cross-site Scripting (XSS) in /admin/code/tce_show_online_users.php

Stored XSS allows an unauthenticated attacker to inject malicious JavaScript when performing self-registration. Specifically, the first and last name fields can be crafted to contain HTML script tags. If they then log in this Javascript will run when an admin navigates to admin/code/tce_show_online_users.php.

Code snippet:

122 if (F_isAuthorizedEditorForUser($this_session['session_user_id'])) {
123 echo ''.$user_str.'';
124 } else {
125 echo $user_str;
126 }

Where $user_str is set with the first and last names of the user.

Proof of Concept

CVE-2020-5751: Authenticated Stored Cross-site Scripting (XSS) in /admin/code/tce_edit_module.php

Stored XSS allows an authenticated attacker to inject malicious JavaScript into the first and last name of an operator. An administrator can change the first or last name of an operator(or any non-admin user who can edit modules, by default though just the operator) to contain Javascript script tags. This will be executed when the operator navigates to admin/code/tce_edit_module.php.

Code snippet:

332 echo '('.$m['user_name'].')'.$m['user_lastname'].' '.$m['user_firstname'].''.K_NEWLINE;

Only executed when an operator, not admin, user goes to tce_edit_module.php

Proof of Concept

Solution

Upgrade to TCExam 14.2.3 or later.

Disclosure Timeline

05/05/2020 - Tenable asks [email protected] for designated security contact.
05/05/2020 - Tecnick replies that [email protected] can be used.
05/06/2020 - Vulnerabilities disclosed to [email protected] 90-day date set to August 4, 2020.
05/06/2020 - TCExam reports that these issues were addressed in 14.2.3. Asks if we can confirm.
05/07/2020 - Tenable confirms that these are fixed. Informs TCExam of our intent to release an advisory today and CVE assignments.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.