During an assessment, I identified
a severe security vulnerability within Open eClass, an e-learning platform
extensively utilized across educational institutions, notably within Greece,
where it is deployed by virtually all Greek Universities and educational
entities. Open eClass, developed by GUnet (Greek Universities Network), is
instrumental in delivering asynchronous e-learning services. The vulnerability,
cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that
enables remote code execution (RCE), impacting versions 3.15 and earlier of the
platform. This critical security lapse presents a significant risk, potentially
allowing unauthorized access and control over the system, thereby compromising
the integrity and security of the educational infrastructure.
Affected Versions:
● version <= 3.15
CVSSv3.1 Base Score: 9.1 (Critical)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploitation Guide
The vulnerability can be exploited by following these steps:
1. Login as an Administrator
The initial step requires an attacker to have administrative access to the Open eClass platform.
2. Navigate to the Badge/Certificate Administration Page.
By selecting the option to add a new badge icon, the attacker proceeds to the file upload functionality.
By selecting the option to add a new badge icon, the attacker proceeds to the file upload functionality.
Figure
5: Open eClass upload web.php
Content of web.php
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
5. Execute Remote Commands.
Once the malicious file is
uploaded, it can be accessed directly via a web browser or a tool like curl to
execute system commands remotely.
Warning
You can also abuse the Edit functionality of a badge as well in order to achieve RCE
Figure 7: Open eClass Edit badge