[BreachExchange] Finders, cheaters: RCE bug in Moodle e-learning platform could be abused to steal data, manipulate results

[Sophia Kingsbury]

https://portswigger.net/daily-swig/finders-cheaters-rce-bug-in-moodle-e-learning-platform-could-be-abused-to-steal-data-manipulate-results

A critical security vulnerability in a popular e-learning platform could be
abused to allow access to students’ data and test papers – and possibly
even manipulate exam results.

Moodle is an open source application that’s said to be used by 190,000
organizations in 246 countries worldwide. Many of these are educational
institutions such as universities or colleges.

The bug, a PHP object injection vulnerability in Moodle’s Shibboleth
authentication module, could allow unauthenticated attackers to achieve
remote code execution (RCE), resulting in a complete compromise of the
server.

In turn, this could allow them complete access to anything on the target
server, including personally identifiable information such as password
hashes, exam grades, and messages.

Pre-auth RCE

The flaw was discovered by Robin Peraglie and Johannes Moritz, penetration
testers by trade, who chose to hunt for bugs in Moodle due to previously
having found two other RCE vulnerabilities in the software.

Moritz told The Daily Swig that the vulnerability is only present in Moodle
LMS server which has Shibboleth single sign-on authentication enabled. The
module is disabled by default, offering some respite to the universities
and institutions that make use of the platform.

If enabled, however, an unauthenticated attacker can execute arbitrary
system commands, the researcher explained.

“This would result in a complete compromise of the server including a
leakage of user data. Malicious students could also abuse it to get
read/write access to exams before they have started,” said Moritz.

The researcher described the vulnerability as “actually pretty easy” to
exploit, since a list of websites with Shibboleth activated are available
publicly online.

The team published a blog post containing further technical details on how
they found and exploited the bug.

Closed book

After reporting the issue to Bugcrowd and, following a lengthy disclosure
process, the flaw has now been patched.

It took four months for the vulnerability to be triaged, revealed Moritz,
who said he had the impression it was not treated as a priority.

When asked why they didn’t report it directly to Moodle, which has its own
vulnerability disclosure program, the researcher said they are “quite
inflexible with providing patches because of their two-month release cycle”.

Moritz did, however, reveal that the team also found a second critical
Moodle pre-authentication bug – details of which will be released following
a separate, ongoing coordinated disclosure process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210729/ff3e1630/attachment.html>