exploit the possibilities

Moodle File Disclosure

Moodle File Disclosure
Posted Mar 27, 2009
Authored by Christian J. Eibl

Moodle versions below 1.6.9, 1.7.7, 1.8.9, and 1.9.5 suffer from a file disclosure vulnerability.

tags | exploit, info disclosure
MD5 | 520c89bf934549d60ae6faf1d0175f33

Moodle File Disclosure

Change Mirror Download
Moodle File Disclosure Vulnerability

Systems Affected Moodle series <1.6.9+, <1.7.7+, <1.8.9, <1.9.5
Severity Critical
Probability of being vulnerable Rather Low
Vendor http://moodle.org/
Filed Bug #MDL-18552
Author Christian J. Eibl
Date 20090327

I. BACKGROUND

Moodle is an open source (webbased) learning management system with
users all over the world in educational institutes, schools, or
companies. See vendor homepage for details.

II. DESCRIPTION

An input filter for TeX formulas can be exploited to disclose files
readable by the web server. This includes the moodle configuration
file with all authentication data and server locations for directly
connecting to backend database.
TeX filter by default is off and in case of being activated mostly no
complete LaTeX environment on a server system will be available.

III. DETECTION OF VULNERABILITY

Since Moodle 1.6 a complete LaTeX environment is preferred over the
shipped mimetex program for rendering TeX formulas to images that can
be included in HTML pages.

In any text input area, e.g., forum, type something like "$$ \jobname
$$" (without quotes). If the result looks like
- "$$ \jobname $$": TeX filter not activated
- "[jobname ?]": TeX filter activated, but mimetex used
- "a91dbb..." (hash): TeX filter active and LaTeX used (vuln.)

Since LaTeX per se is very powerful for file inclusion and even
writes, the vulnerability depends on LaTeX environment and its
configuration.

IV. EXPLOIT PoC

If LaTeX is not configured to restrict file inclusion (default!), then
absolute paths and relative ones can be used. As proof of concept
enter:
"$$ \input{/etc/passwd} $$"

In case the system is vulnerable, this will read the /etc/passwd file
and will render the contents to an image included in the text. Hence,
content is disclosed.

Rendering takes place in temporary folder by default which should not
be in the scope of the web server. Otherwise even arbitrary code could
be injected to compromise the whole web environment.
By using relative paths with background knowledge of Moodle's path
organization, it is easy to disclose the configuration file with
sensitive data.

V. WORKAROUND

Several alternatives:
1) deactivate TeX filter, if not needed
2) use more restrictive mimetex program for rendering
3) change LaTeX configuration (set "openin_any=p" for paranoid!)

... or upgrade to latest development version where patch should be
applied by now.

VI. TIMELINE

20090312 Bug discovered
20090313 Vendor contact / Bug filed (MDL-18552)
20090314 Response and confirmation by vendor
20090315 First patch proposed
20090327 Bug marked resolved and patch in tree


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close