Researchers Exploited Remote Code Execution Moodle Platform
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The popular learning platform Moodle was found to have a critical vulnerability that allowed for remote code execution, which was caused by an improper sanitization of user input that could be exploited to inject malicious code into the system.
The attackers were able to bypass the existing sanitization mechanisms and execute arbitrary PHP code on the server.
Moodle released patches for the vulnerability in versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 on August 10, 2024.
Moodle, a widely used learning management system, is designed to facilitate online learning, and a key feature of Moodle is its ability to generate calculated questions for quizzes, which use variables (wildcards) enclosed in curly braces to create different numerical questions.
The penetration test revealed a security vulnerability in this feature, allowing potential attackers to exploit the calculated questions to execute malicious code.
Moodle allows trainers to define formulas for answer checking in calculated questions. Shockingly, these formulas are evaluated using the eval() function, which can be exploited to run arbitrary code.
There’s some basic validation in place (possibly due to past vulnerabilities), but if it passes, any string is fed directly to eval(). The challenge is to craft a formula that bypasses validation and injects malicious code that can be executed.
The validation function in `question/type/calculated/questiontype.php` checks formula input for PHP comments and restricts allowed mathematical functions.
It replaces variables with 1.0 and converts the formula to lowercase before validating its structure using regular expressions.
The function checks for correct function arguments and operators and returns an error message if any invalid syntax or unsupported functions are found.
The final check verifies that only allowed operators and numbers remain in the formula.
While the function effectively prevents certain types of malicious code, it is still vulnerable to exploitation through specific variable manipulations, especially in older PHP versions.
notifications about the selected course being deleted
The vulnerability allows attackers to execute arbitrary PHP functions by manipulating the answer formula in calculated questions.
While this method is limited to functions with a single numerical parameter, it can still be exploited to delete courses or reveal sensitive information through functions like `phpinfo()`.
After saving the question, an error “Exception – system(): Argument #1 ($command) cannot be empty” is returned:
Attackers can achieve this by defining a calculated question with a variable whose value matches the target course ID and then modifying the answer formula to include the desired function name and the variable.
The Red Team discovered a remote code execution vulnerability in Moodle by exploiting a syntax error in the PHP interpreter and found that curly braces could be used to access object properties, allowing them to execute arbitrary functions with a single numeric parameter.
#Cyber_Security_Research #Exploit #Vulnerability #Moodle_Security #Remote_Code_Execution_(RCE) #Vulnerability_Patch
Оригинальная версия на сайте:
Researchers Exploited Remote Code Execution Moodle Platform
Author: Aman MishraThe popular learning platform Moodle was found to have a critical vulnerability that allowed for remote code execution, which was caused by an improper sanitization of user input that could be exploited to inject malicious code into the system.
The attackers were able to bypass the existing sanitization mechanisms and execute arbitrary PHP code on the server.
Moodle released patches for the vulnerability in versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 on August 10, 2024.
Moodle, a widely used learning management system, is designed to facilitate online learning, and a key feature of Moodle is its ability to generate calculated questions for quizzes, which use variables (wildcards) enclosed in curly braces to create different numerical questions.
The penetration test revealed a security vulnerability in this feature, allowing potential attackers to exploit the calculated questions to execute malicious code.
Moodle allows trainers to define formulas for answer checking in calculated questions. Shockingly, these formulas are evaluated using the eval() function, which can be exploited to run arbitrary code.
There’s some basic validation in place (possibly due to past vulnerabilities), but if it passes, any string is fed directly to eval(). The challenge is to craft a formula that bypasses validation and injects malicious code that can be executed.
The validation function in `question/type/calculated/questiontype.php` checks formula input for PHP comments and restricts allowed mathematical functions.
It replaces variables with 1.0 and converts the formula to lowercase before validating its structure using regular expressions.
The function checks for correct function arguments and operators and returns an error message if any invalid syntax or unsupported functions are found.
The final check verifies that only allowed operators and numbers remain in the formula.
While the function effectively prevents certain types of malicious code, it is still vulnerable to exploitation through specific variable manipulations, especially in older PHP versions.
notifications about the selected course being deletedThe vulnerability allows attackers to execute arbitrary PHP functions by manipulating the answer formula in calculated questions.
While this method is limited to functions with a single numerical parameter, it can still be exploited to delete courses or reveal sensitive information through functions like `phpinfo()`.
After saving the question, an error “Exception – system(): Argument #1 ($command) cannot be empty” is returned:Attackers can achieve this by defining a calculated question with a variable whose value matches the target course ID and then modifying the answer formula to include the desired function name and the variable.
The Red Team discovered a remote code execution vulnerability in Moodle by exploiting a syntax error in the PHP interpreter and found that curly braces could be used to access object properties, allowing them to execute arbitrary functions with a single numeric parameter.
#Cyber_Security_Research #Exploit #Vulnerability #Moodle_Security #Remote_Code_Execution_(RCE) #Vulnerability_Patch
Оригинальная версия на сайте:
