Skip to content

Skotizo/CVE-2021-43129

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2021-43129

Vulnerability in D2L Brightspace’s Learning Management System(LMS)

Vulnerability Type:

CWE-668: Exposure of Resource to Wrong Sphere

Vendor of Product:

Desire2Learn/D2L

Affected Product Code Base:

D2L Brightspace’s Learning Management System(LMS)

Tested version: 20.21.7

D2L announced that the "Disable Right Click" setting will be retired in August 2022.

Affected Component:

Quizzing's "Disable Right Click" setting

Attack Type:

Remote

Impact Escalation of Privileges:

True

Attack Vectors:

The remote quiz taker can remove "&ispriv=&drc=1" from the quiz URL, reload, and have full privilege to highlight text, copy and paste via keyboard controls, and print the test data via keyboard controls.

Methodology and Description

While taking quizzes with the setting "Disable right click" enabled, I found it can disabled by removing data from the GET request. The "Disable Right Click" setting is used to prevent users from having the privilege to highlight text, copy and paste via keyboard controls, and print the test data via keyboard controls. An exploit can remove the "Disable Right Click" setting completely for a remote user taking the quiz.

Proof of Concept

After starting a quiz with the "Disable right click" setting enabled, the users search bar will contain this highlighted data. 1 The quizzes "Disable right click" setting acts as intended in its current state. When using CRTL+P results in this popup message.

2

If the quiz taker to remove "&ispriv=&drc=1" and reloads the page, the user now has the priviledge to highlight text, copy and paste via keyboard controls, and print the test data via keyboard controls. 3

The ou and qi elements GET request data were removed because they are personally identifying and does not effect the vulnerability. I disclosed this vulnerability privately and gave time to remediate in order to strengthen the integrity of the D2L's LMS application.


Simplified POC

The request to load the quiz with the "Disable Right click" function enabled.

https://domain.com/d2l/lms/quizzing/user/attempt/quiz_start_frame_auto.d2l?ou=123456&isprv=&drc=1&qi=123456&cfql=0&dnb=0&fromQB=0

The request to load the quiz and disable the "Disable Right click" setting.

https://domain.com/d2l/lms/quizzing/user/attempt/quiz_start_frame_auto.d2l?ou=123456&qi=123456&cfql=0&dnb=0&fromQB=0

Timeline

  • Initial disclosure to D2L - 08/10/2021

  • D2L acknowledged the vulnerability - 08/11/2021

  • Payment recieved for disclosure of vulnerability - 09/10/2021

  • CVE ID request - 10/27/2021

  • D2L announced "Disable Right click" retirement in August, 2022 - 02/15/2022

  • CVE-2021-43129 assigned - 3/30/2022

  • Public Disclosure - 4/15/2022

  • CVE description updated - 4/19/2022

  • Issued request to change CVE-2021-43129 discription based upon D2L suggestion - 4/20/2022

  • NIST updated the webpage with the CWE and CWSS

Releases

No releases published

Packages

No packages published