Identify and Mitigate Remote Code Execution Vulnerabilities on the Moodle Platform

The famous understanding medium Moodle was discovered to have a crucial vulnerability that permitted for remote code implementation, which was driven by a nasty sanitization of user input that could be manipulated to inject hostile code into the system. The assailants were capable of avoiding the current sanitization mechanisms and managing incidental PHP code on the server.

Moodle removed patches for the vulnerability in versions 4.4.2, 4.3.6, 4.2.9, and 4.1.12 on August 10, 2024. Moodle, a broadly used learning management system, is developed to facilitate online learning, and a key component of Moodle is its capability to generate estimated queries for quizzes, which use variables (wildcards) enclosed in curly braces to create various numerical questions.

The penetration test demonstrated a safety vulnerability in this segment, permitting possible attackers to use the calculated questions to run hostile code. Moodle allows trainers to explain procedures for answer checking in calculated questions. Shockingly, these formulas are estimated using the eval() function, which can be manipulated to execute arbitrary code. 

There’s some basic verification in place (possibly due to past vulnerabilities), but if it passes, any series is fed straight to eval(). The challenge is to prepare a procedure that circumvents validation and infiltrates nasty code that can be implemented. The validation process in `question/type/calculated/questiontype.php` checks formula input for PHP comments and limits authorized mathematical functions. It replaces variables with 1.0 and reverses the formula to lowercase before validating its structure utilizing common expressions.

The function checks for correct function statements, and operators and returns an error notification if any invalid syntax or unsupported functions are seen. The final inspection demonstrates that only permitted operators and numbers stay in the procedure. While the function effectively prevents specific types of hostile code, it is still vulnerable to exploitation via specific variable manipulations, particularly in older PHP versions.

 

The vulnerability permits assaulters to manage arbitrary PHP functions by exploiting the answer formula in calculated questions. By preparing a procedure that contains a function name and a variable, the system replaces the variable with its value, effectively calling the selected function. While this method is determined to function with a single numerical parameter, it can still be manipulated to delete courses or disclose susceptible data via functions like `phpinfo()`. 

 

Detractors can fulfill this by specifying a calculated question with a variable whose value matches the target course ID and then modifying the answer formula to contain the desired function name and the variable. The Red Team found a remote code implementation vulnerability in Moodle by manipulating a syntax blunder in the PHP interpreter and discovered that curly braces could be used to access object properties, permitting them to manage random functions with a single numeric parameter.

By exploiting the solution formula and preventing variable substitution, they were able to execute arbitrary authorities on the Moodle server, which was reported to the Moodle safety team and has since been patched in newer versions.