The popular learning platform Moodle was found to have a critical vulnerability that allowed for remote code execution, which was caused by an improper sanitization of user input that could be exploited to inject malicious code into the system.
The attackers were able to bypass the existing sanitization mechanisms and execute arbitrary PHP code on the server.
Moodle released patches for the vulnerability in versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 on August 10, 2024.
Moodle, a widely used learning management system, is designed to facilitate online learning, and a key feature of Moodle is its ability to generate calculated questions for quizzes, which use variables (wildcards) enclosed in curly braces to create different numerical questions.
The penetration test revealed a security vulnerability in this feature, allowing potential attackers to exploit the calculated questions to execute malicious code.
Moodle allows trainers to define formulas for answer checking in calculated questions. Shockingly, these formulas are evaluated using the eval() function, which can be exploited to run arbitrary code.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
There’s some basic validation in place (possibly due to past vulnerabilities), but if it passes, any string is fed directly to eval(). The challenge is to craft a formula that bypasses validation and injects malicious code that can be executed.
The validation function in `question/type/calculated/questiontype.php` checks formula input for PHP comments and restricts allowed mathematical functions.
It replaces variables with 1.0 and converts the formula to lowercase before validating its structure using regular expressions.
The function checks for correct function arguments and operators and returns an error message if any invalid syntax or unsupported functions are found.
The final check verifies that only allowed operators and numbers remain in the formula.
While the function effectively prevents certain types of malicious code, it is still vulnerable to exploitation through specific variable manipulations, especially in older PHP versions.
The vulnerability allows attackers to execute arbitrary PHP functions by manipulating the answer formula in calculated questions.
By crafting a formula that includes a function name and a variable, the system substitutes the variable with its value, effectively calling the specified function.
While this method is limited to functions with a single numerical parameter, it can still be exploited to delete courses or reveal sensitive information through functions like `phpinfo()`.
Attackers can achieve this by defining a calculated question with a variable whose value matches the target course ID and then modifying the answer formula to include the desired function name and the variable.
The Red Team discovered a remote code execution vulnerability in Moodle by exploiting a syntax error in the PHP interpreter and found that curly braces could be used to access object properties, allowing them to execute arbitrary functions with a single numeric parameter.
By manipulating the answer formula and preventing variable substitution, they were able to execute arbitrary commands on the Moodle server, which was reported to the Moodle security team and has since been patched in newer versions.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial