This Metasploit module will generate a plugin which can receive a malicious payload request and upload it to a server running Moodle provided valid admin credentials are used. Then the payload is sent for execution, and the plugin uninstalled. You must have an admin account to exploit this vulnerability. Successfully tested against versions 3.6.3, 3.8.0, 3.9.0, 3.10.0, and 3.11.2.
8e027d34ac307719476edac910f52b3c1a60df2f19ea4139da74bef6fe99f771Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This Metasploit module was tested against Moodle versions 3.11.2, 3.10.0, and 3.8.0.
33c8bb6a0f9058457ef9ea11c88cb44a8e6a479225f59eb841f22283ace6b68dMoodle versions 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12, and earlier unsupported versions allow for a teacher to exploit chain to remote code execution. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add someone with manager privileges on the system (not just the class). After adding a system manager, a loginas feature is used to access their account. Next the system is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme is uploaded and creates an RCE. If all of that is a success, we revert permissions for managers to system default and remove our malicious theme. Manual cleanup to remove students from the class is required. This Metasploit module was tested against Moodle version 3.9.
205b825b62b384a2d5ae9bd69ed58048fe2f9c7d0177ca1d41a5a492899940b2Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This Metasploit module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
ac6f5ab057f512464caba3ae5c9eb29729a37923234846241c7451944f72ebf8Red Hat Security Advisory 2021-3812-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass and out of bounds write vulnerabilities.
d2eac6f1add09be972a2780c9efa45b78b7848496f88beb863ed2785ea677c2bRed Hat Security Advisory 2021-3814-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include bypass and out of bounds write vulnerabilities.
3b1a2d1cc68dcb5014deed6689fcfa5c1174b58abbd6f4aaeb3a5cb1167ea7ddRed Hat Security Advisory 2021-3791-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.2.0 ESR. Issues addressed include double free and use-after-free vulnerabilities.
0fe8deab866877fe2b931bc6a8a24826328b78f70cf86ce99c46c72739e06c06Red Hat Security Advisory 2021-3811-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs. Issues addressed include a denial of service vulnerability.
bb6d650d64262a2e309c98d9646d6d2649b8e74ecd3bcb3db0b0112bfdfabfa4Red Hat Security Advisory 2021-3771-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include a bypass vulnerability.
40b2c1d43338d8f5402aab9d3170850fcf87cf04b8643d51b7a97858a50e8231Red Hat Security Advisory 2021-3770-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include a bypass vulnerability.
85148de13ec9a22e2ac3d2a41d27e94c1cd454b560e705a92e902077afc03c2fRed Hat Security Advisory 2021-3769-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include a bypass vulnerability.
e9ac82897e77bf5ce3c32c94cc17c381ae2487cea44b74d0e7ecaa7971d536c9Red Hat Security Advisory 2021-3768-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a bypass vulnerability.
408e82b35f69cdab725a569554c6e9fe4c67388615c9ecea449d9e529d4e5aa8Red Hat Security Advisory 2021-3767-02 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a bypass vulnerability.
39ad8c0e4cee4588c9eb7b845059e4ae01204b26fa6ba2d6593a7f87ce11af92Red Hat Security Advisory 2021-3766-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a bypass vulnerability.
ed3ba4657067e5599b1221d740c6c04e6b0c9debfd381a997642e8c8399c58f5Whitepaper that discusses the functionality of EDR (Endpoing Protection and Response), how it compares to antivirus, and how it can be manipulated.
ece8d73b3f5b494064886d578b32c0f9fcd8723057d66ff7d4e4b551ab1d242d
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed