Moodle
  1. Moodle
  2. MDL-17207

Remote Code Execution vulnerability in texed.php

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.9, 1.9.1, 1.9.2, 1.9.3
    • Fix Version/s: 1.9.4
    • Component/s: Filters
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      30265

      Description

      copy pasting email here:

      Hi,

      We have recently discovered a Remote Code Execution vulnerability
      in Moodle 1.9.3.

      We follow a responsible disclosure policy that consists in notifying the
      vendor (you), waiting an appropriate amount of time for an official
      fix and publishing the advisory. If the waiting exceeds acceptable time
      bounds or the vendor is unresponsive the advisory will be immediately
      published.

      Basically we try to protect customers by helping the vendor secure the
      hole and if this doesn't work releasing the advisory to make everybody
      aware of the risk and take the proper actions on their side.

      In case you have a doubt we charge no money : )

      So please take care of this message, if needed you can forward it to the
      proper internal contacts (developers, security experts, etc).

      If you feel uncertain in fixing don't hesitate contacting us, probably
      we can arrange together a pretty solution.

      Make us aware when the fix is ready and tested!

      We try to synchronize the disclosure time with the vendor, if the
      details of the vulnerability becomes public we will immediately disclose
      the advisory.

      Detailed informations follow (advisory draft, do not publish).

      Regards,
      Antonio 's4tan' Parata
      http://www.ush.it

      Note: This is a standard initial vendor contact template. Reply the
      message to reach meatware (humans).

      Moodle 1.9.3 Remote Code Execution

      Name Remote Code Execution in Moodle
      Systems Affected Moodle 1.9.3 and possibly earlier versions
      Severity High
      Impact (CVSSv2) High 7.3/10, vector: (AV:N/AC:L/Au:M/C/I/A:C)
      Vendor http://moodle.org/
      Advisory http://www.ush.it/team/ush/hack-moodle193/moodle193.txt
      Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
      Francesco "ascii" Ongaro (ascii AT ush DOT it)
      Giovanni "evilaliv3" Pellerano (evilaliv3 AT
      digitalbullets DOT org)
      Date YYYYMMDD

      I. BACKGROUND

      >From the Moodle web site: "Moodle is a course management system (CMS) -
      a free, Open Source software package designed using sound pedagogical
      principles, to help educators create effective online learning
      communities".

      II. DESCRIPTION

      A Remote Code Execution exists in Moodle 1.9.3.

      III. ANALYSIS

      • Remote Code Execution (RCE) in texed.php (pathname parameter)

      A Remote Code Execution (RCE) vulnerability has been found in
      filter/tex/texed.php. In order to exploit this vulnerability
      register_globals must be enabled as the "TeX Notation" filter.

      All these conditions reduce the impact of the vulnerability, to remark
      this fact we have set "multiple authentication" flag in the cvss2 score).

      In texed.php we find the following instructions:

      -8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<-

      $cmd = tex_filter_get_cmd($pathname, $texexp);
      system($cmd, $status);

      -8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<-

      Where the function "tex_filter_get_cmd", defined in lib.php, is the
      following:

      -8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<-

      function tex_filter_get_cmd($pathname, $texexp) {
      $texexp = escapeshellarg($texexp);
      $executable = tex_filter_get_executable(false);

      if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS ==
      "Windows"))

      { $executable = str_replace(' ', '^ ', $executable); return "$executable ++ -e \"$pathname\" -- $texexp"; }

      else

      { return "\"$executable\" -e \"$pathname\" -- $texexp"; }

      }

      -8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<8<-

      As we can see no check is performed on the "$pathname" parameter neither
      in "texed.php" neither in the "tex_filter_get_cmd" function declared in
      "lib.php".

      Seen this it's possible to exploit this vulnerability to execute
      arbitrary commands on the target server. The following urls are proof
      of concept for Linux and Windows:

      On Linux:
      http://127.0.0.1/moodle/filter/tex/texed.php?formdata=foo&pathname=foo";ls+-l;echo+"

      On Windows:
      http://www.example.com/moodle/filter/tex/texed.php?formdata=foo&pathname=foo"||+dir||echo

      This RCE is "blind". You'll never see the list dir of the example
      because there is no print of the system command output.

      IV. DETECTION

      Moodle 1.9.3 and possibly earlier versions are vulnerable.

      V. WORKAROUND

      Proper input validation will fix the vulnerabilities.

      Upgrade to latest development version.

      VI. VENDOR RESPONSE

      VII. CVE INFORMATION

      No CVE at this time.

      VIII. DISCLOSURE TIMELINE

      20080121 Bug discovered

      IX. CREDIT

      Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
      "evilaliv3" Pellerano are credited with the discovery of this
      vulnerability.

      Antonio "s4tan" Parata
      web site: http://www.ictsc.it/
      mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it

      Francesco "ascii" Ongaro
      web site: http://www.ush.it/
      mail: ascii AT ush DOT it

      Giovanni "evilaliv3" Pellerano
      mail: evilaliv3 AT digitalbullets DOT it

      X. LEGAL NOTICES

      Copyright (c) 2008 Francesco "ascii" Ongaro

      Permission is granted for the redistribution of this alert
      electronically. It may not be edited in any way without mine express
      written consent. If you wish to reprint the whole or any
      part of this alert in any other medium other than electronically,
      please email me for permission.

      Disclaimer: The information in the advisory is believed to be accurate
      at the time of publishing based on currently available information. Use
      of the information constitutes acceptance for use in an AS IS condition.
      There are no warranties with regard to this information. Neither the
      author nor the publisher accepts any liability for any direct, indirect,
      or consequential loss or damage arising from use of, or reliance on,
      this information.

        Activity

        Hide
        Penny Leach added a comment -

        Fixed in 1.9 and HEAD. The vulnerability wasn't in 1.8 and previous.

        Note that this is only reproducible with:

        • register_globals ON
        • magic_quotes_gpc OFF

        which is pretty unsupported

        Show
        Penny Leach added a comment - Fixed in 1.9 and HEAD. The vulnerability wasn't in 1.8 and previous. Note that this is only reproducible with: register_globals ON magic_quotes_gpc OFF which is pretty unsupported
        Hide
        Petr Škoda added a comment -

        resolving, thanks

        Show
        Petr Škoda added a comment - resolving, thanks
        Hide
        Petr Škoda added a comment -

        tested, closing

        Show
        Petr Škoda added a comment - tested, closing

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: