Moodle is an open source learning management System. Our university uses a some Open source version of this moodle. In this article I try to explain some weakness currently present in the moodle.
Selected organization
LearnOrg moodle- University of Moratuwa
The tools we have used in this System security assessment are,
- metasploit 4.7
- nmap
- wireshark
Vulnerability identification
vulnerabilities are system defects that an attacker can use to launch an attack against the system. In the UOM moodle we have tried out some tests to detect vulnerabilities. All these tests were carried out using the current UOM moodle which is accessible at https://lms.uom.lk.
Test 1 Attempting Session Hijacking on the Same Machine
To see if session hijacking can be done two separate browsers were installed in the same machine. We have used Firefox and Google chrome browsers for this test. First we logged in to the moodle student account using Google chrome browser with cookies enabled. We can get the cookie values for the moodle session using the Google browser.
After using these cookie values we have created new cookies in Firefox using the cookie manager add-on. Then when we visit to the module in Firefox we will automatically redirected to the student account who logged in Google browser. So session hijacking is a one vulnerability in the UOM Moodle system.
Test 2 Attempting Session Hijacking over a network
Session values are not encrypted in http packets. Packet sniffing tool like wireshark can be easily used to track packets and get the session variables. Those can be copied into cookies in firefox and successfully login to the account.
We started wireshark and filtered to track ip packets. While it was running logged in to an user account in moodle.Then we stopped wireshark tracking packets. And analyze one by one packets.
Following is the ip packet with session variable.
Then we simply copied those variables into firefox and reloaded moodle. We successfully logged into the account. To perform this attack passive tampering is needed on the network connection which the target user machine is connecte
Test 3 identification of open/closed ports
nmap can be used to identify server details and its open and closed ports. A good security practice is hiding unused or security critical ports from the public. By this nmap search we discovered port 80, port 443 and port 631. So this is a good security move against attackers who are trying to launch DoS attacks on the server.
nmap -A lms.uom.lk
Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-06 15:30 IST
Nmap scan report for lms.uom.lk (192.248.8.105)
Host is up (0.85s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 ((Red Hat))
|_html-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp open ssl/http Apache httpd 2.2.3 ((Red Hat))
|_html-title: Site doesn't have a title (text/html; charset=UTF-8).
631/tcp closed ipp
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.74 seconds
Test 4 brute-force attacks to crack a password of a specific user
Number of attempts to login is stored in a cookie file. This is not a good security practice because an attacker can write a program to automatically reset the cookie file, he can continue to try new password values without being blocked.
So this introduces another security vulnerability which has to be addressed by the server end to ensure that no attacker is allowed to try a wrong password more than a certain number of times.
Threat identification
Following threats are present in the moodle system according to the tests that have been performed.
- User account hacks
- Server shutdowns and DoS attacks
- User security policy violations
Attack identification
Attacks can be deployed by using the vulnerabilities.
- Session hijacking on the same machine.
- Session hijacking through network interfaces.
- automated user name- password brute force attacks.
Vulnerability-to-attack mapping
System vulnerabilities and respective attacks are listed below.
- server port exposure - DoS attacks
- inadequate security for cookie files - Session hijacking in same machine and through network interface.
- session management by only using cookies - Brute force attacks by resetting cookies
Attack risk assessment
- Identified risks are highly critical because an attacker can steal sensitive information or completely take down the system by gaining access to the system.
- Data confidentiality and integrity is breached by such an attack and sensitive user data can be exposed to the public.
- Availability of the service can also be compromised if an DoS attack is deployed.
Risk mitigation approaches/techniques covering software security
- Decouple security options from cookie files because using cookies to control sessions is not a good security practice and it could violate security policies. (attackers can easily use session variables in cookies to attack system)
- Close all unused ports and block unauthorized access.
- Increase security of the server center in order to increase physical security.
Physical security
- Only authorized people are allowed to access the server rooms.
- Implementing a surveillance camera facility is recommended.
Data security
Sql injection threats are not found in the system. Databases should be kept securely so that no unauthorized access can be performed on the data.
User security
Session hijacking is present in the moodle system. So session management shall be improved to prevent this.
Server security
nmap can be used to identify open and closed ports on a remote server. If these details are known, an attacker may deploy a malicious application to a specific port.
No comments:
Post a Comment