CVE-2024-43425: Moodle Remote Code Execution Vulnerability, PoC Published
A critical vulnerability (CVE-2024-43425) has been identified in Moodle, a widely-used Learning Management System. This flaw could enable attackers to execute malicious code on affected servers, potentially compromising sensitive student data and disrupting educational institutions worldwide.
Moodle’s “calculated questions” feature is designed to enable educators to create individualized numerical questions by using wildcards, such as {x} or {y}, which are replaced with random values when a quiz is taken. These questions also allow for the specification of formulas that Moodle uses to calculate the correct answer. However, security researchers at RedTeam Pentesting uncovered a flaw in how Moodle sanitizes these formulas before passing them to the PHP eval() function, which is responsible for processing the formulas.
The problem lies in the incomplete sanitization process. Attackers can craft malicious inputs that bypass the sanitization checks, allowing them to execute arbitrary commands on the system hosting the Moodle instance. This could lead to a range of attack scenarios, from unauthorized data access to complete system compromise.
The researchers provided a proof-of-concept (PoC) exploit to demonstrate the severity of the CVE-2024-43425 vulnerability. By creating a calculated question with a carefully crafted formula, an attacker can execute commands on the Moodle server. For instance, a PoC showed how to use this flaw to delete a course, effectively demonstrating how easily an attacker could disrupt an entire learning environment.
All Moodle administrators are strongly advised to upgrade their installations to the latest patched versions (4.1.12, 4.2.9, 4.3.6, or 4.4.2) without delay. System administrators should carefully review user permissions, ensuring that only trusted individuals can create or modify questions within courses. If upgrading is not immediately possible, consider patching the sanitization function in the file /question/type/calculated/questiontype.php to always return false, thereby disabling the calculated questions feature until a fix can be applied.
