An Especially Spooky Season for Moodle
This release has not one, two, or three, but FOUR authenticated Moodle exploit modules, or should I say moodules? H00die comes through again with not just modules, but also an artisanal, bespoke library to support further work. Two target the spell check functions in Moodle, one is a shell upload using administrative credentials, and one allows teachers to get ahead by declaring themselves administrators!
More Information on Forwarded Sessions and Jobs
To get through networks, sometimes red teamers need to connect sessions and forward traffic through a “red network” of hosts to gain access to a target of interest on an interior network. Smashery has added features to the sessions and jobs information reporting that reflects the status of a forwarded connection and which sessions it is using for its connection. This helps users keep track of an already tricky [or treaty] situation juggling sessions and forwarded connections.
New module content (4)
- Moodle Admin Shell Upload by AkkuS and h00die, which exploits CVE-2019-11631 - Allows an attacker to generate a plugin which can receive a malicious payload request and upload it to a server running Moodle, provided valid admin credentials are used.
- Moodle Authenticated Spelling Binary RCE by Brandon Perry, which exploits CVE-2013-4341 - This exploit takes advantage of the fact Moodle allows an authenticated administrator to define spell check settings via the web interface, allowing an administrator can update the aspell path to include a command injection.
- Moodle SpellChecker Path Authenticated Remote Command Execution by Adam Reiser and h00die, which exploits CVE-2021-21809 - Similar to the previous module, this module attacks the spell checker from a different avenue, allowing a user to
- Moodle Teacher Enrollment Privilege Escalation to RCE by HoangKien1020, h00die, and lanz, which exploits CVE-2020-14321 - A bug in the privileges system allows a teacher to add themselves as a manager to their own class, and then add any other users, including someone with manager privileges on the system (not just the class).
Enhancements and features
- #15706 from smashery - The reverse shell handlers in Metasploit have been updated. When catching a shell via a route that goes through another existing session, Metasploit will now note which session the new session originated from. This helps users determine how shells were obtained when they use an existing session to acquire another session within a target's network. Additional information has been applied to job information which provides users with more clarity when looking at jobs.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
[Modified] Image credit https://commons.wikimedia.org/wiki/File:Halloween_Jack-o'-lantern.jpg