A critical vulnerability in Moodle, an open source PHP-based learning management system deployed across scores of schools and universities, could expose the server its running on to compromise.
Tens of thousands of universities worldwide, including the California State University system, the University of Oxford, and Stanford University, use the service to provide students with course outlines, grades, and other personal data.
The issue–at its root a SQL injection vulnerability–could be used by an attacker to execute PHP code on a university’s server according to Netanel Rubin, the researcher who found the bug.
— Netanel Rubin (@na7irub) March 20, 2017
Moodle published details around the bug, including its CVE (CVE-2017-2641) on Monday as well, warning that an ordinary registered user could exploit the vulnerability via web interface.
“Similar scenarios could be used in previous versions of Moodle but only by managers/admins and only via web services,” the advisory reads.
School IT administrators are being encouraged to apply a patch that maintainers of the system pushed 10 days ago. An update from early last week, 3.3.2, also includes the fix.
— Moodle (@moodle) March 13, 2017
Until patched, Rubin warns the vulnerability will continue to affect “almost all Moodle versions,” including 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.
According to Rubin the vulnerability stems from a handful of small, logical vulnerabilities.
Moodle is a project with lots of code–two million lines, according to Rubin. Because of that and the fact that many developers oversee it, the system was designed with the assumption that one feature, user preferences, couldn’t be taken advantage of.
Rubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty. That could open the door to an object injection attack.
While the attack had its limitations, Rubin discovered a way to pivot from it to a series of method calls. From there, he found he could use the system’s “update” method to update any row in an affected database. This gave him the ability to tweak administrator accounts, passwords, the site configuration, “basically whatever we want,” he wrote.
Rubin used a double SQL injection to top off his exploit, helping him gain full administrator privileges on any server running Moodle.
“After gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server,” Rubin writes.