According to security researchers, a session hijack vulnerability in the widely used e-learning platform Moodle allowed attackers to hijack any user’s session and gain remote code execution (RCE). Last year, the open-source platform’s maintainers corrected the severe weakness, safeguarding 213 million users in 241 countries, as well as Shell, Microsoft, and the London School of Economics.
According to a post shared on January 10 by pen testers Robin Peraglie and Johannes Moritz, the unauthenticated bug (CVE-2021-40691) exists in Moodle’s Shibboleth identity management plugin due to “the over-usage of PHP’s session_decode function when the database session handler was configured.” The problem is only fixed if Moodle’s Shibboleth authentication is enabled.
Last year, researchers discovered another pre-auth RCE in the same plugin triggered when sessions were saved in separate files, which was the usual setting for new installs. The flaw, which was fixed in July 2021, allowed attackers to get access to students’ personal information and test papers, as well as potentially influence exam results.
Both flaws “stem from the attempts to re-implement or mess with PHP’s internal session mechanisms” – an inadvisable move “due to the complexity and pitfalls” involved, stated the researchers.
The subsequent problem included how the logout db_session() method was called by every logout request received over a SOAP endpoint, iterated through all accessible database sessions, and passed them into the session_decode function. As per researchers, this translated the database’s serialized session data and loaded the $_SESSION superglobal with it, allowing an attacker to log in as any user with an active session for a fraction of a second. Because the previous session was not emptied, $_SESSION was still filled with the most recent user’s session data.
Due to session decode, this session was allocated to the attacker’s session cookie, allowing the attacker to reload the page and hijack random user sessions. Attackers may log out to clear non-admin sessions from the database, then repeat the attack until an admin session appears, allowing RCE through the plugin installation.
Versions 3.11-3.11.2, 3.10-3.10.6, and 3.9-3.9.9 are affected by the problem, which was fixed in 3.11.3, 3.10.7, and 3.9.10. On February 21, they reported the defect to Bugcrowd, and on September 12, a patch was sent to GitHub. They rated the reporting procedure as “extremely tedious due to problems when understanding and reproducing the issue on Bugcrowd’s side.” The report took four months to reach Moodle via triage, much like the prior problem.
