bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/7437.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

154 lines
5.2 KiB
Text
Executable file
Raw Blame History

Moodle 1.9.3 Remote Code Execution
Name Remote Code Execution in Moodle
Systems Affected Moodle 1.9.3 and possibly earlier versions
Severity High
Impact (CVSSv2) High 7.3/10, vector: (AV:N/AC:L/Au:M/C:P/I:P/A:C)
Vendor http://moodle.org/
Advisory http://www.ush.it/team/ush/hack-moodle193/moodle193.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
Date 20081212
I. BACKGROUND
>From the Moodle web site: "Moodle is a course management system (CMS) -
a free, Open Source software package designed using sound pedagogical
principles, to help educators create effective online learning
communities".
II. DESCRIPTION
A Remote Code Execution exists in Moodle 1.9.3.
III. ANALYSIS
- Remote Code Execution (RCE) in texed.php (pathname parameter)
A Remote Code Execution (RCE) vulnerability has been found in
filter/tex/texed.php. In order to exploit this vulnerability
register_globals must be enabled as the "TeX Notation" filter.
All these conditions reduce the impact of the vulnerability, to remark
this fact we have set "multiple authentication" flag in the cvss2 score).
In texed.php we find the following instructions:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$cmd = tex_filter_get_cmd($pathname, $texexp);
system($cmd, $status);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Where the function "tex_filter_get_cmd", defined in lib.php, is the
following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function tex_filter_get_cmd($pathname, $texexp) {
$texexp = escapeshellarg($texexp);
$executable = tex_filter_get_executable(false);
if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS ==
"Windows")) {
$executable = str_replace(' ', '^ ', $executable);
return "$executable ++ -e \"$pathname\" -- $texexp";
} else {
return "\"$executable\" -e \"$pathname\" -- $texexp";
}
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As we can see no check is performed on the "$pathname" parameter neither
in "texed.php" neither in the "tex_filter_get_cmd" function declared in
"lib.php".
Seen this it's possible to exploit this vulnerability to execute
arbitrary commands on the target server. The following urls are proof
of concept for Linux and Windows:
On Linux:
http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo";ls+-l;echo+"
On Windows:
http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo"+||+dir+||+echo+
This RCE is "blind". You'll never see the list dir of the example
because there is no print of the system command output.
IV. DETECTION
Moodle 1.9.3 and possibly earlier versions are vulnerable.
V. WORKAROUND
Proper input validation will fix the vulnerabilities. Actually the
vulnerability is fixed in the Dev tree.
Upgrade to latest development version.
VI. VENDOR RESPONSE
Vendor will not release a new version addressing this vulnerability
since moodle has several different issues with register globals and
the vendor decided to resolve them in a different way for the upcoming
versions.
"At present we are working on changes that will prevent installation when
register globals on. They should be committed later this week. I suppose
we are not going to release 1.9.4 now because register globals issue is
a know problem already."
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20080121 Bug discovered
20081111 Initial vendor contact (No Response)
20081811 Second vendor contact (No Response)
20081811 Vendor response
20081212 Advisory released (Fix available only in dev tree)
IX. CREDIT
Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
"evilaliv3" Pellerano are credited with the discovery of this
vulnerability.
Antonio "s4tan" Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Giovanni "evilaliv3" Pellerano
mail: evilaliv3 AT digitalbullets DOT it
X. LEGAL NOTICES
Copyright (c) 2008 Francesco "ascii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
# milw0rm.com [2008-12-12]
Reference in a new issue View git blame Copy permalink