lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 27 Mar 2009 15:30:20 +0100
From: Christian Eibl <chreibl@....de>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Moodle: Sensitive File Disclosure

Moodle File Disclosure Vulnerability

Systems Affected		Moodle series <1.6.9+, <1.7.7+, <1.8.9, <1.9.5
Severity				Critical
Probability of being vulnerable		Rather Low
Vendor				http://moodle.org/
Filed Bug			#MDL-18552
Author				Christian J. Eibl
Date				20090327

I. BACKGROUND

Moodle is an open source (webbased) learning management system with 
users all over the world in educational institutes, schools, or 
companies. See vendor homepage for details.

II. DESCRIPTION

An input filter for TeX formulas can be exploited to disclose files 
readable by the web server. This includes the moodle configuration 
file with all authentication data and server locations for directly 
connecting to backend database.
TeX filter by default is off and in case of being activated mostly no 
complete LaTeX environment on a server system will be available.

III. DETECTION OF VULNERABILITY

Since Moodle 1.6 a complete LaTeX environment is preferred over the 
shipped mimetex program for rendering TeX formulas to images that can 
be included in HTML pages.

In any text input area, e.g., forum, type something like "$$ \jobname 
$$" (without quotes). If the result looks like
- "$$ \jobname $$":		TeX filter not activated
- "[jobname ?]":			TeX filter activated, but mimetex used
- "a91dbb..." (hash):		TeX filter active and LaTeX used (vuln.)

Since LaTeX per se is very powerful for file inclusion and even 
writes, the vulnerability depends on LaTeX environment and its 
configuration. 

IV. EXPLOIT PoC

If LaTeX is not configured to restrict file inclusion (default!), then 
absolute paths and relative ones can be used. As proof of concept 
enter:
"$$ \input{/etc/passwd} $$"

In case the system is vulnerable, this will read the /etc/passwd file 
and will render the contents to an image included in the text. Hence, 
content is disclosed.

Rendering takes place in temporary folder by default which should not 
be in the scope of the web server. Otherwise even arbitrary code could 
be injected to compromise the whole web environment.
By using relative paths with background knowledge of Moodle's path 
organization, it is easy to disclose the configuration file with 
sensitive data.

V. WORKAROUND

Several alternatives:
1) deactivate TeX filter, if not needed
2) use more restrictive mimetex program for rendering
3) change LaTeX configuration (set "openin_any=p" for paranoid!)

... or upgrade to latest development version where patch should be 
applied by now.

VI. TIMELINE

20090312 Bug discovered
20090313 Vendor contact / Bug filed (MDL-18552)
20090314 Response and confirmation by vendor
20090315 First patch proposed
20090327 Bug marked resolved and patch in tree

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ