Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.
Chamilo LMS versions 1.11.12 to 1.11.26 are vulnerable to remote code execution (RCE) due to a post-authentication phar unserialize vulnerability within the virtualization plugin. An attacker with administrator privileges can exploit this flaw to execute arbitrary code on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Authentication: The attacker must first authenticate as an administrator within the Chamilo LMS.
Step 2: Payload Creation: The attacker crafts a malicious PHAR archive. This archive contains a serialized PHP object that, when unserialized, will execute arbitrary code (e.g., a reverse shell).
Step 3: Payload Delivery: The attacker uploads or otherwise injects the malicious PHAR archive into a location accessible by the vchamilo plugin. This might involve abusing a feature of the plugin that processes user-supplied files.
Step 4: Triggering the Vulnerability: The attacker triggers the plugin's functionality that processes the uploaded file. This triggers the unserialize() function on the attacker-controlled PHAR archive.
Step 5: Code Execution: The unserialize() function executes the malicious code embedded within the PHAR archive, resulting in remote code execution (RCE) on the server.
The vulnerability stems from the insecure handling of serialized data within the vchamilo plugin. Specifically, the plugin fails to properly validate user-supplied input when deserializing PHAR archives. This allows an attacker to craft a malicious PHAR archive containing serialized PHP objects. When the plugin attempts to deserialize this archive, the attacker-controlled objects are instantiated, leading to the execution of arbitrary code. The root cause is a lack of input validation and sanitization before the unserialize() function is called on data originating from a potentially untrusted source (the administrator). This allows for arbitrary code execution by leveraging the phar unserialize gadget chain.