module
Moodle Teacher Enrollment Privilege Escalation to RCE
| Disclosed |
|---|
| Jul 20, 2020 |
Disclosed
Jul 20, 2020
Description
Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher
to add themselves as a manager to their own class. They can then add any other users, and thus
look to add someone with manager privileges on the system (not just the class). After
adding a system manager, a 'loginas' feature is used to access their account. Next the system
is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme
is uploaded and creates an RCE.
If all of that is a success, we revert permissions for managers to system default and
remove our malicoius theme. Manual cleanup to remove students from the class is required.
This module was tested against Moodle version 3.9
allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher
to add themselves as a manager to their own class. They can then add any other users, and thus
look to add someone with manager privileges on the system (not just the class). After
adding a system manager, a 'loginas' feature is used to access their account. Next the system
is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme
is uploaded and creates an RCE.
If all of that is a success, we revert permissions for managers to system default and
remove our malicoius theme. Manual cleanup to remove students from the class is required.
This module was tested against Moodle version 3.9
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.