Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 19 Feb 2020 09:03:04 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Wordpress themegrill-demo-importer: database reset/auth bypass,
 incomplete fix due to CSRF

A severe vulnerability in a wordpress plugin called ThemeGrill Demo
Importer was discovered by the company WebARX:
https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/

The vulnerability is as follows:
The plugin adds a hook to wordpress that can be reached with the
ajax-interface (admin-ajax.php) and that has a functionality to reset
the wordpress database which will be triggered if the GET variable
do_reset_wordpress is set.

The problem: This had no authentication whatsoever.

PoC:
curl https://example.org/wp-admin/admin-ajax.php?do_reset_wordpress01
--data 'action=heartbeat' -i

This can obviously delete all existing posts and other data. If there
exists a user called "admin" (i.e. the name of the user is admin, not
just a user with an admin role) then after triggering that function the
attacking user will be logged in as the admin, so in that case he can
use that to e.g. install a plugin and gain code execution. For further
details read the WebARX post.

This is already being actively exploitet, I observed several vulnerable
installations that were empty yesterday (i.e. only showing the standard
"Hello World" post of a new wordpress installation).

Incomplete Fix / CSRF
=====================

As a fix for this the developers of the plugin added a check if one is
logged in as a user with sufficient permission in version 1.6.2.
This is not a full fix, because there is no protection from Cross Site
Request Forgery. This means the functionality can no longer be
triggered by an unauthenticated user, but one can lure the admin of an
affected site to a site triggering a POST request executing that
function.

PoC code:
<form id="f1"
action="https://example.org/wp-admin/admin-ajax.php?do_reset_wordpress=1"
method="POST"> <input type=hidden name=action value="heartbeat">
</form>  
<script>
document.getElementById("f1").submit();
</script>

I had reported this to the developers of the plugin on Monday, but
given that this is almost entirely obvious looking at the fix I was
likely not the only one who has noticed. WebARX also told me they
noticed this and had already told Themegrill about it.

There's now an update 1.6.3 that adds a nonce check. I have
not reviewed that change in detail. Patches:
https://github.com/themegrill/themegrill-demo-importer/commit/b350a29628fb40522468a576e98e45abbc4de0c7
https://github.com/themegrill/themegrill-demo-importer/commit/564d8496d1f0d10f6aab4798eeec7ddefc81bdd2

From the functionality this plugin provides I believe it's only useful
during development and testing of themes. Therefore even if the
vulnerability is now hopefully fixed it is probably a good idea to
remove it from production installations when it's no longer needed.

Summary on affected versions:
1.3.4 to 1.6.1: vulnerable to original/severe variant
1.6.2: Insufficient fix, attack with CSRF possible
1.6.3: hopefully fixed

-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.