ATutor-Instructor-Backup-Exploit

Exploit Title: ATutor 2.2.4 'Backup' Remote Command Execution (CVE-2019-12170)
Google Dork: inurl:/ATutor/login.php
Date: 5/13/2019
Exploit Author: liquidsky (Joseph McPeters)
Vendor Homepage: https://atutor.github.io/
Software Link: https://sourceforge.net/projects/atutor/files/latest/download
Version: < 2.2.4 (Versions 2.2.4 and prior seem to be affected)
Tested on: Windows 7 with XAMPP / Linux 3.16.0-4-amd64 with version 2.2.4 and 2.2.1
Authors Site: http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12170

ATutor 2.2.4 is vulnerable to arbitrary file uploads via the backup function that may result in remote command execution.

First login with the instructor account and select a course:

#1 http://[atutor address]/atutor/bounce.php?course=1

Then navigate to "Manage"

#2 http://[atutor address]/atutor/tools/index.php

Next select Backups/Upload

#3 http://[atutor address]/atutor/mods/_core/backups/upload.php

From here a specially crafted backup zip file i.e "pwned_backup.zip" can be uploaded that will result in remote command execution.

The PoC arbitrary file can be found at: http://[atutor address]/atutor/content/1/pwned/poc.PhP

or

C:\xampp\htdocs\ATutor\content\1\pwned\poc.PhP

Note: The "1" in the address will change based on the course number and the "content" directory may be different. However by default the installation calls for the dir name to be "content". This has been tested on both linux/windows installations.

A copy of the PoC zip file (pwned_backup.zip) can be downloaded: https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File

Screenshots included to show exact steps to successfully reenact exploit.

Update: There is no fix for this issue ATutor is no longer being maintained. [5/22/19]

Directory traversal is also possible if the content directory is not in the webroot.

For more information on a directory traversal proof of concept check out: https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit/

    CVE-2019-12170: https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File
    CVE-2019-12169: https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
1_Atutor_Course.jpg		1_Atutor_Course.jpg
2_Atutor_Manage.jpg		2_Atutor_Manage.jpg
3_Atutor_Backups.jpg		3_Atutor_Backups.jpg
4_Atutor_Upload.jpg		4_Atutor_Upload.jpg
5_Atutor_pwned_backup.jpg		5_Atutor_pwned_backup.jpg
6_Atutor_restore.jpg		6_Atutor_restore.jpg
7_Atutor_Success.jpg		7_Atutor_Success.jpg
8_Atutor_Payload.jpg		8_Atutor_Payload.jpg
README.md		README.md
pwned_backup.zip		pwned_backup.zip

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ATutor-Instructor-Backup-Exploit

About

Releases

Packages

fuzzlove/ATutor-Instructor-Backup-Arbitrary-File

Folders and files

Latest commit

History

Repository files navigation

ATutor-Instructor-Backup-Exploit

About

Topics

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages