Introduced Moodle Scanner (#151)

autoreporter_addons/moodle_scanner/reporter.py

@@ -0,0 +1,92 @@
+from pathlib import Path
+from typing import Any, Dict, List
+
+from artemis.reporting.base.language import Language
+from artemis.reporting.base.report import Report
+from artemis.reporting.base.report_type import ReportType
+from artemis.reporting.base.reporter import Reporter
+from artemis.reporting.base.templating import ReportEmailTemplateFragment
+from artemis.reporting.utils import get_top_level_target
+
+from .translations.moodle_messages import pl_PL as translations_moodle_messages_pl_PL
+
+
+class TranslationNotFoundException(Exception):
+    pass
+
+
+class MoodleScannerReporter(Reporter):  # type: ignore
+    OBSOLETE_MOODLE_VERSION_FOUND = ReportType("obsolete_moodle_version_found")
+    MOODLE_VULNERABILITY_FOUND = ReportType("moodle_vulnerability_found")
+
+    @staticmethod
+    def create_reports(task_result: Dict[str, Any], language: Language) -> List[Report]:
+        if task_result["headers"]["receiver"] != "moodle_scanner":
+            return []
+
+        result = []
+        target = get_top_level_target(task_result)
+
+        if (
+            task_result["result"].get("version")
+            and task_result["result"].get("is_version_obsolete")
+            and task_result["result"]["version"] != "Version not found"
+        ):
+            result.append(
+                Report(
+                    top_level_target=target,
+                    target=target,
+                    report_type=MoodleScannerReporter.OBSOLETE_MOODLE_VERSION_FOUND,
+                    additional_data={
+                        "version": task_result["result"]["version"],
+                    },
+                    timestamp=task_result["created_at"],
+                )
+            )
+
+        for vuln in task_result["result"].get("vulnerabilities", []):
+            if vuln in ["Vulnerability type: Exec Code XSS"] or vuln.startswith("Reference: "):
+                continue
+
+            if language == Language.en_US:
+                vuln_translated = vuln
+            elif language == Language.pl_PL:
+                vuln = vuln.strip()
+
+                if vuln in translations_moodle_messages_pl_PL.TRANSLATIONS:
+                    vuln_translated = translations_moodle_messages_pl_PL.TRANSLATIONS[vuln]
+                else:
+                    raise TranslationNotFoundException(
+                        f"Unable to find translation for message '{vuln}'."
+                        f"You may add in in Artemis-modules-extra/autoreporter_addons/moodle_scanner/translations/moodle_messages/"
+                    )
+            else:
+                raise NotImplementedError()
+
+            result.append(
+                Report(
+                    top_level_target=target,
+                    target=target,
+                    report_type=MoodleScannerReporter.MOODLE_VULNERABILITY_FOUND,
+                    additional_data={
+                        "vulnerability": vuln_translated,
+                        "version": task_result["result"].get("version", "Unknown"),
+                    },
+                    timestamp=task_result["created_at"],
+                )
+            )
+
+        return result
+
+    @staticmethod
+    def get_email_template_fragments() -> List[ReportEmailTemplateFragment]:
+        return [
+            ReportEmailTemplateFragment.from_file(
+                str(Path(__file__).parents[0] / "template_moodle_vulnerability.jinja2"),
+                priority=7,
+            ),
+            ReportEmailTemplateFragment.from_file(
+                str(Path(__file__).parents[0] / "template_obsolete_moodle_version.jinja2"),
+                priority=4,
+            ),
+        ]

autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2

@@ -0,0 +1,21 @@
+{% if "moodle_vulnerability_found" in data.contains_type %}
+    <li>{% trans %}The following security vulnerabilities were detected in Moodle installations:{% endtrans %}
+
+        <ul>
+            {% for report in data.reports %}
+                {% if report.report_type == "moodle_vulnerability_found" %}
+                    <li>
+                        {{ report.target }} - {{report.additional_data.vulnerability }}
+                        {{ report_meta(report) }}
+                    </li>
+                {% endif %}
+            {% endfor %}
+        </ul>
+
+        <p>
+            {% trans trimmed %}
+                These vulnerabilities should be addressed by updating to the latest secure version of Moodle.
+                If a site is no longer used, we recommend shutting it down to eliminate the risk of exploitation of known vulnerabilities in older Moodle versions.
+            {% endtrans %}
+        </p>
+{% endif %}

autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2

@@ -0,0 +1,20 @@
+{% if "obsolete_moodle_version_found" in data.contains_type %}
+    <li>{% trans %}The following Moodle installations with outdated versions were detected:{% endtrans %}
+
+    <ul>
+        {% for report in data.reports %}
+            {% if report.report_type == "obsolete_moodle_version_found" %}
+                <li>
+                    {{ report.target }} - {% trans %}version:{% endtrans %} {{report.additional_data.version }}
+                    {{ report_meta(report) }}
+                </li>
+            {% endif %}
+        {% endfor %}
+    </ul>
+
+    <p>
+        {% trans trimmed %}
+            Keep track of the Moodle versions in use and ensure they are up to date.
+        {% endtrans %}
+    </p>
+{% endif %}

autoreporter_addons/moodle_scanner/translations/en_US/LC_MESSAGES/messages.po

@@ -0,0 +1,27 @@
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:2
+msgid ""
+"The following security vulnerabilities were detected in Moodle "
+"installations:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:16
+msgid ""
+"These vulnerabilities should be addressed by updating to the latest "
+"secure version of Moodle. If a site is no longer used, we recommend "
+"shutting it down to eliminate the risk of exploitation of known "
+"vulnerabilities in older Moodle versions."
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:2
+msgid "The following Moodle installations with outdated versions were detected:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:8
+msgid "version:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:16
+msgid ""
+"Keep track of the Moodle versions in use and ensure they are up to date "
+"with the latest security patches."
+msgstr ""

autoreporter_addons/moodle_scanner/translations/messages.pot

@@ -0,0 +1,27 @@
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:2
+msgid ""
+"The following security vulnerabilities were detected in Moodle "
+"installations:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:16
+msgid ""
+"These vulnerabilities should be addressed by updating to the latest "
+"secure version of Moodle. If a site is no longer used, we recommend "
+"shutting it down to eliminate the risk of exploitation of known "
+"vulnerabilities in older Moodle versions."
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:2
+msgid "The following Moodle installations with outdated versions were detected:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:8
+msgid "version:"
+msgstr ""
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:16
+msgid ""
+"Keep track of the Moodle versions in use and ensure they are up to date "
+"with the latest security patches."
+msgstr ""

autoreporter_addons/moodle_scanner/translations/moodle_messages/pl_PL.py

@@ -0,0 +1,9 @@
+from typing import Dict
+
+REFLECTED_XSS_DESCRIPTION = "Cross-Site Scripting, umożliwiającą atakującemu spreparowanie linku, który, po kliknięciu przez administratora, wykona dowolną akcję z jego uprawnieniami (taką jak np. modyfikacja treści czy kradzież danych)."
+
+TRANSLATIONS: Dict[str, str] = {
+    "[!] CVE-2022-35653: A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.": "CVE-2022-35653: Wykryto podatność Reflected XSS, która umożliwia atakującemu spreparowanie linku do powyższej strony internetowej, który - gdy kliknięty przez ofiarę - wykona dowolne skrypty lub zmieni w dowolny sposób wygląd strony, umożliwiając np. wykradnięcie danych. Uwaga: podatność nie dotyczy zalogowanych użytkowników.",
+    "[!] CVE-2022-35651: A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.": "CVE-2022-35651: Wykryto podatność Server-Site Reuqest Forgery, umożliwiającą wykonywanie żądań do systemów w sieci lokalnej, a także podatność "
+    + REFLECTED_XSS_DESCRIPTION,
+}

autoreporter_addons/moodle_scanner/translations/pl_PL/LC_MESSAGES/messages.po

@@ -0,0 +1,32 @@
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:2
+msgid ""
+"The following security vulnerabilities were detected in Moodle "
+"installations:"
+msgstr ""
+"Wykryto następujące podatności w systemach Moodle:"
+
+#: autoreporter_addons/moodle_scanner/template_moodle_vulnerability.jinja2:16
+msgid ""
+"These vulnerabilities should be addressed by updating to the latest "
+"secure version of Moodle. If a site is no longer used, we recommend "
+"shutting it down to eliminate the risk of exploitation of known "
+"vulnerabilities in older Moodle versions."
+msgstr ""
+"Zalecamy szybką naprawę tych podatności za pomocą aktualizacji do najnowszej wersji systemu "
+"Moodle. Jeśli strona nie jest już używana, rekomendujemy jej wyłączenie, aby "
+"wyeliminować ryzyko ataku przy użyciu znanych podatności w starszych "
+"wersjach systemu Moodle."
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:2
+msgid "The following Moodle installations with outdated versions were detected:"
+msgstr "Wykryto następujące instalacje systemu Moodle z nieaktualną wersją oprogramowania:"
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:8
+msgid "version:"
+msgstr "wersja:"
+
+#: autoreporter_addons/moodle_scanner/template_obsolete_moodle_version.jinja2:16
+msgid ""
+"Keep track of the Moodle versions in use and ensure they are up to date."
+msgstr ""
+"Zalecamy regularne sprawdzanie, czy używane wersje systemu Moodle są aktualne."

autoreporter_addons/ssl_checks/filtered_website_fragments.txt

@@ -35,6 +35,7 @@ Przepraszamy - strona w produkcji !
 Przerwa techniczna
 <p><span class="Style1">mobylee web site not found!<br>
 <p>Ta domena utrzymywana jest na serwerach</p>
+<script src="http://c.parkingcrew.net/scripts/sale_form.js" type="text/javascript"></script>
 <script src="https://static.nazwa.pl/rotator/blackdown/banner_script.js"></script>
 Serwis o podane nazwie nie istnieje
 Serwis w trakcie prac rozwojowych

docker-compose.yml

@@ -21,6 +21,17 @@ services:
     restart: always
     command: "python3 -m artemis.modules.forti_vuln"
 
+  karton-moodle_scanner:
+    build:
+      context: Artemis-modules-extra
+      dockerfile: karton_moodle_scanner/Dockerfile
+    volumes:
+      - "./docker/karton.ini:/etc/karton/karton.ini"
+      - "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"
+    env_file: .env
+    restart: always
+    command: "python3 -m artemis.modules.moodle_scanner"
+
   karton-sqlmap:
     build:
       context: Artemis-modules-extra
@@ -59,4 +70,5 @@ services:
       - ./Artemis-modules-extra/autoreporter_addons/dns_reaper/:/opt/artemis/reporting/modules/dns_reaper/
       - ./Artemis-modules-extra/autoreporter_addons/forti_vuln/:/opt/artemis/reporting/modules/forti_vuln/
       - ./Artemis-modules-extra/autoreporter_addons/sqlmap/:/opt/artemis/reporting/modules/sqlmap/
+      - ./Artemis-modules-extra/autoreporter_addons/moodle_scanner/:/opt/artemis/reporting/modules/moodle_scanner/
       - ./Artemis-modules-extra/autoreporter_addons/ssl_checks/:/opt/artemis/reporting/modules/ssl_checks/

karton_moodle_scanner/Dockerfile

@@ -0,0 +1,7 @@
+FROM certpl/artemis:latest
+
+RUN git clone https://github.com/inc0d3/moodlescan.git /moodle_scanner
+RUN pip install --no-cache-dir -r /moodle_scanner/requirements.txt
+
+COPY karton_moodle_scanner/moodle_scanner.py /opt/artemis/modules/
+COPY extra_modules_config.py /opt/