Scans for Moodle Learning Platform Following Recent Update, (Wed, Sep 4th)

SANS Internet Storm Center, InfoCON: green 2024-09-04

On August 10th, the popular learning platform "Moodle" released an update fixing %%cve:2024-43425%%. RedTeam Pentesting found the vulnerability and published a detailed blog post late last week. The blog post demonstrates in detail how a user with the "trainer" role could execute arbitrary code on the server. A trainer would have to publish a "calculated question". These questions are generated dynamically by evaluating a formula. Sadly, the formula was evaluated using PHP's "eval" command. As pointed out by RedTeam Pentesting, "eval" is a very dangerous command to use and should be avoided if at all possible. This applies not only to PHP but to most languages (also see my video about command injection vulnerabilities). As I usually say: "eval is only one letter away from evil".

The exploit does require the attacker to be able to publish questions. However, Moodle is used by larger organizations like Universities. An attacker may be able to obtain credentials as a "trainer" via brute forcing or credential stuffing.

I got pointed to "Moodle" after seeing this URL in our "First Seen" list of newly accessed URLs:

/lib/ajax/service.php?info=tool_mobile_get_public_config&lang=en

This "public config" may return additional details in some cases, but from my tests with a demo instance of Moodle, it only returns:

 {"error":"Coding error detected, it must be fixed by a programmer: Invalid json in request: Syntax error","errorcode":"codingerror","stacktrace":null,"debuginfo":null,"reproductionlink":null}

At least this URL could be used to find Moodle instances and probe them later with more specific exploits. I will have to add this case to our honeypot responses to get more details. These scans are not new, but we had only individual scans (one or two per day) so they never passed our threshold as "significant". Only yesterday did they pass the "line".

But in the meantime:

  1. Keep Moodle up to date (they do have a decent chart outlining support timeframes for different versions)
  2. Audit the "trainer" accounts, not just because of the vulnerability, but in general, they can cause damage to the system.
  3. Let me know if you have additional insight into Moodle. Is there something else that this URL could trigger?

--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.