Correct answer Information Disclosure in TCExam

Posted on Fri 15 January 2016 in news

This is an odd one. Apparently I have a magnet for unusual vulns.

If we agree that this is a security issue, and not just a software bug, or a cat, it's a good example of how much damage an information leak can do. In most cases I've come across, a disclosure is not a big deal unless it can be used together with other vulns to do some damage. In this case, it's just one instance of information disclosure that has the potential of causing all the pain.

Sometime ago, right before the Certified Ethical Hacker (CEH) exam was about to start, while the instructor was saying things along the lines of "everybody in this room will pass", I was getting ready to start capturing the traffic with wireshark, because we had been told to access an online exam platform over plain HTTP, and I thought "I'm going to capture the exam traffic for later examination", so I fired wireshark and let it capture all the traffic throughout the hour-long exam.

After the exam I spent some time looking at the traffic, and I noticed a repeating pattern in the HTML rendered for each question. The <input> element for each multiple-choice answer had an id attribute with a numeric value indicating in which position the answer was inserted, and even though the answers were randomly positioned on the page, the lowest id would always be the right answer. Woah.

Later on I looked in depth at TCExam, the PHP-based exam platform used during the CEH exam (and by many other institutions and companies), and I found out that there was one condition for the lowest id to be the right answer: that answer had to be the first one inserted into the question when creating the exam.

As it turns out, the fist answer to be inserted is almost always the right one. This is what the software manual instructs users, and it's also the logical thing to do when you're creating questions. Think about it, it makes sense.

Let's visualize this:

"TCExam right answer disclosure"

In the image above, answerid_1 was the first answer to be inserted when the question was created, and because of that, it used the lowest id out of all the possible answers (ids 1,2,3 and 4), therefore disclosing which one was the right answer.

The consequences of this are pretty obvious. Students taking exams with TCExam could cheat if they were aware of this. Fraudulent results could be claimed by institutions. Even when the first answer to be inserted is not the right one, in most cases there will be a pattern of how the answers were inserted, and as long as the end user can figure that out, the right answer can be predicted.

In the case of the CEH exam I took, 100% of the questions were predictable. I did not cheat though, after all, it was the CEH. Ahem.

And that's it. I downloaded several versions of TCExam, verified that they were vulnerable, contacted the author -who was very responsive-, he applied a patch and the issue was fixed.