• Services:

University uses old version with known Vulnerabilities

We could not find out how exactly the attack happened, because none of the involved institutions have given us a statement yet. An analysis of the software however brought up some details that may give a hint.

  1. Hays AG, Weissach
  2. TÜV SÜD Gruppe, München

In our research we were able to see the version of Ilias on the affected web page via the Google cache. According to that the site was operated with Ilias version 5.1.16. This version was released a year ago in March 2017. Since then, many security updates have been issued that apparently weren't installed.

The upload of SVG files enabled a cross-site scripting vulnerability, another cross-site scripting vulnerability was found due to a lack of filtering of form inputs. In some situations, a flaw in the delivery of e-mails could cause the delivery of system mails to the wrong user. In October 2017 a vulnerability in the handling of media files was found, though no details about the impact were published. In early February 2018, another cross site scripting vulnerability was found.

Exploiting such vulnerabilities usually requires the attacker tricking the victim into clicking on a malicious link or accessing a specific portion of a site containing attacker-controlled code. This is usually more complicated to exploit than some other classes of vulnerabilities that allow immediate code execution or the extraction and manipulation of data. But for a professional attacker it is still a realistic scenario.

A severe vulnerability was fixed in the version 5.1.16 that the University had used. According to the description it allowed copying files to arbitrary places on the file system. That would probably make it relatively easy to completely take over an installation and execute code. This vulnerability was fixed in the version that was active until a few days ago, but according to previous reports the attack had started several months before it was detected in December 2017.

Administrator account with default Password "homer"

During the analysis of Ilias we found another weakness. After a fresh installation of the system a default account with administrator permissions is created. This is assigned the username "root" and the password "homer". The user is not asked to change the default password. Therefore it's possible that the default password was simply never changed.

We found no easy way to directly execute code with an administrator account, but of course it is possible that such a vector exists and we simply haven't found it.

It's also possible that the attack happened with a yet unknown vulnerability or with login data that was stolen via phishing. The Ilias system is quite extensive and has many possibilities for users to interact with it. File uploads of various media formats, a wiki, a plugin system and a lot of other features provide a large attack surface.

Approved by NATO

During our research we found a report from 2008. According to this, NATO tested the Ilias software for three days and didn't find any security flaws. Ilias can therefore be used in NATO's internal network Chronos. Also according to the report, Ilias was used by NATO to prepare soldiers for the ISAF mission in Afghanistan.

Please notice: The German version of this article can be read here.

 Government Hack: Hack on German Government via E-Learning Software Ilias
  2. 1
  3. 2

  1. und Assassins Creed Odyssey, Strange Brigade und Star Control Origins kostenlos dazu erhalten
  2. 915€ + Versand
  3. mit Gutschein: HARDWARE50 (nur für Neukunden, Warenwert 104 - 1.000 Euro)

hg (Golem.de) 12. Mär 2018

Wir haben in diesem Fall auch eine englische Version des Artikels gemacht, weil wir die...

Folgen Sie uns

Microsoft Surface Go - Test

Das Surface Go mag zwar klein sein, darin steckt jedoch ein vollwertiger Windows-10-PC. Der kleinste Vertreter von Microsofts Produktreihe überzeigt als Tablet in Programmen und Spielen. Das Type Cover ist weniger gut.

Microsoft Surface Go - Test Video aufrufen
Pixel 3 und Pixel 3 XL im Hands on: Googles Smartphones mit verbesserten Kamerafunktionen
Pixel 3 und Pixel 3 XL im Hands on
Googles Smartphones mit verbesserten Kamerafunktionen

Google hat das Pixel 3 und das Pixel 3 XL vorgestellt. Bei beiden neuen Smartphones legt das Unternehmen besonders hohen Wert auf die Kamerafunktionen. Mit viel Software-Raffinessen sollen gute Bilder auch unter widrigen Umständen entstehen. Die ersten Eindrücke sind vielversprechend.
Ein Hands on von Ingo Pakalski

  1. BQ Aquaris X2 Pro im Hands on Ein gelungenes Gesamtpaket mit Highend-Funktionen

Neuer Echo Dot im Test: Amazon kann doch gute Mini-Lautsprecher bauen
Neuer Echo Dot im Test
Amazon kann doch gute Mini-Lautsprecher bauen

Echo Dot steht bisher für muffigen, schlechten Klang. Mit dem neuen Modell zeigt Amazon, dass es doch gute smarte Mini-Lautsprecher mit dem Alexa-Sprachassistenten bauen kann, die sogar gegen die Konkurrenz von Google ankommen.
Ein Test von Ingo Pakalski

    Apple Watch im Test: Auch ohne EKG die beste Smartwatch
    Apple Watch im Test
    Auch ohne EKG die beste Smartwatch

    Apples vierte Watch verändert das Display-Design leicht - zum Wohle des Nutzers. Die Uhr bietet immer noch mit die beste Smartwatch-Erfahrung, auch wenn eine der neuen Funktionen in Deutschland noch nicht funktioniert.
    Ein Test von Tobias Költzsch

    1. Smartwatch Apple Watch Series 4 mit EKG und Sturzerkennung
    2. Smartwatch Apple Watch Series 4 nur mit sechs Modellen
    3. Handelskrieg Apple Watch und anderen Gadgets drohen Strafzölle

      •  /