Recently, WordPress released a new version 4. 3. 1, which fixes a few serious security issues, which includes by Check Point filed a cross-site scripting Vulnerability, CVE-2 0 1 5-5 7 1 4 and a privilege escalation Vulnerability, CVE-2 0 1 5-5 7 1 5 It.
8 beginning of the month, Check Point, in its official blog published an article about the WordPress vulnerabilities trilogy series of articles in the first section, in this article, the reference to WordPress in the 4.2.3 release fixes an override vulnerability, where this will no longer do a detailed analysis and description, The relevant details can refer to the original and phithon wrote the Wordpress4. 2. 3. the right toSQL injectionVulnerability(CVE-2 0 1 5-5 6 2 3)analysis.
Here the main DESCRIPTION is "the trilogy" in the third section, which is the Check Point on their blog disclosed on WordPress 4.3.1 version in the repair of another ultra vires vulnerabilities and one cross site scripting vulnerability original in.
1." KSES"with shortcodes filtered difference caused by XSS
First look at cross-site scripting vulnerability. WordPress editing the articles content when allowed to use the profile code shorcodes to represent resources, images, links, etc. WordPress turn on the white list mechanism to filter HTML tags, only in the white list rules in the tag, only allowed to be used, and will use a dedicated script "KSES" to detect and filter these HTML tags. The caveat here is that WordPress for HTML tag detection and filtering occurs in the content into the database, and the shortcode parsing rendering occurs in the content output to the page, the following simple example to explain the two processes of difference, edit article insert content:
Due to the insertion of the content contain complete and consistent with the white list rules to the HTML tags, and shortcodes caption（caption shortcode DESCRIPTION is not included in the "KSES" detection of the content, and finally outputs the content to the front when the shortcode is parsed it will be rendered as:
TEST!!! style="width: 1px;" class="wp-caption alignnone"> class="wp-caption-text">xxxxxx
Since the "KSES" filter detects when the only off the HTML tags, the shortcode is not detected, because of the shortcode attributes are in KEY=VALUE form, with single quotation marks(')or double quotes(")to wrap the value, so in the TEST!!! xxxxxx this piece of content, the shortcode caption has two attributes, respectively:
caption: a href="
And the latter half portion of the ]xxxxxx for normal HTML tags closed form, and therefore will not be "KSES" detection after filtration and discarded. Eventually the front Desk output, shortcode caption is parsed, so that the last tag in the href attribute value is not closed.
Therefore, the use of before and after processing the differences, you can construct a favorable payload to form XSS: the
Then use XMLRPC to traverse the articles get submitted pending approval of the article id, where to get pending article id is:"2 is 8", in the configuration payload which is not released status to private:
Using XMLRPC post edited successfully modify the post status is private, access to the front Desk to view the results:
4. Trilogy the song of the
Review Check Point released the WordPress vulnerability trilogy, you can know that WordPress in the 4.2.2 version contains submitted all the loopholes, including the "competition condition privilege escalation","article recovery of leadSQL injection", the"KSES"with shortcodes filtered difference caused byXSS, the"privilege check missed cause unauthorized operation". Through looks, if in WordPress 4.2.2 version, these vulnerabilities can in order to
compete under conditions of elevated as the start, finish behind the attack, and achieved an ultra-low permission user under SQL injection, XSS attack operations. I will Check Point in the part1 and part3 mentioned in the exploit methods integrated together to write out the "all in one" of the PoC, where the
competition condition privilege escalation of the process using the phithon the article mentioned the use of two subscribing the user to solve the 7 day attack cycle limit.
In order to achieve the "all in one" demo as a result, the WordPress test environment replacement for the 4.2.2 version, and prepare in advance two Subscribe to user "guest:guest888","test:test888", and then run a PoC of:
The PoC prompt after successful administrator access to the front Desk, the article is successful sticky and contains malicious code: a
Here have to admire the hole in the main WordPress familiarity with and exploitation of ideas.
Although WordPress in several successive versions to fix these vulnerabilities, but in a non-latest version,
These seemingly tasteless vulnerability in my opinion is not tasteless, the chicken simply because have not find a suitable application scenarios.