78 lines
No EOL
2.6 KiB
Text
78 lines
No EOL
2.6 KiB
Text
Moodle File Disclosure Vulnerability
|
|
|
|
Systems Affected Moodle series <1.6.9+, <1.7.7+, <1.8.9, <1.9.5
|
|
Severity Critical
|
|
Probability of being vulnerable Rather Low
|
|
Vendor http://moodle.org/
|
|
Filed Bug #MDL-18552
|
|
Author Christian J. Eibl
|
|
Date 20090327
|
|
|
|
I. BACKGROUND
|
|
|
|
Moodle is an open source (webbased) learning management system with
|
|
users all over the world in educational institutes, schools, or
|
|
companies. See vendor homepage for details.
|
|
|
|
II. DESCRIPTION
|
|
|
|
An input filter for TeX formulas can be exploited to disclose files
|
|
readable by the web server. This includes the moodle configuration
|
|
file with all authentication data and server locations for directly
|
|
connecting to backend database.
|
|
TeX filter by default is off and in case of being activated mostly no
|
|
complete LaTeX environment on a server system will be available.
|
|
|
|
III. DETECTION OF VULNERABILITY
|
|
|
|
Since Moodle 1.6 a complete LaTeX environment is preferred over the
|
|
shipped mimetex program for rendering TeX formulas to images that can
|
|
be included in HTML pages.
|
|
|
|
In any text input area, e.g., forum, type something like "$$ \jobname
|
|
$$" (without quotes). If the result looks like
|
|
- "$$ \jobname $$": TeX filter not activated
|
|
- "[jobname ?]": TeX filter activated, but mimetex used
|
|
- "a91dbb..." (hash): TeX filter active and LaTeX used (vuln.)
|
|
|
|
Since LaTeX per se is very powerful for file inclusion and even
|
|
writes, the vulnerability depends on LaTeX environment and its
|
|
configuration.
|
|
|
|
IV. EXPLOIT PoC
|
|
|
|
If LaTeX is not configured to restrict file inclusion (default!), then
|
|
absolute paths and relative ones can be used. As proof of concept
|
|
enter:
|
|
"$$ \input{/etc/passwd} $$"
|
|
|
|
In case the system is vulnerable, this will read the /etc/passwd file
|
|
and will render the contents to an image included in the text. Hence,
|
|
content is disclosed.
|
|
|
|
Rendering takes place in temporary folder by default which should not
|
|
be in the scope of the web server. Otherwise even arbitrary code could
|
|
be injected to compromise the whole web environment.
|
|
By using relative paths with background knowledge of Moodle's path
|
|
organization, it is easy to disclose the configuration file with
|
|
sensitive data.
|
|
|
|
V. WORKAROUND
|
|
|
|
Several alternatives:
|
|
1) deactivate TeX filter, if not needed
|
|
2) use more restrictive mimetex program for rendering
|
|
3) change LaTeX configuration (set "openin_any=p" for paranoid!)
|
|
|
|
... or upgrade to latest development version where patch should be
|
|
applied by now.
|
|
|
|
VI. TIMELINE
|
|
|
|
20090312 Bug discovered
|
|
20090313 Vendor contact / Bug filed (MDL-18552)
|
|
20090314 Response and confirmation by vendor
|
|
20090315 First patch proposed
|
|
20090327 Bug marked resolved and patch in tree
|
|
|
|
# milw0rm.com [2009-03-27] |