WordPress XCloner 3.1.5 Denial Of Service / Code Execution

Type packetstorm
Reporter Felipe Molina
Modified 2016-11-09T00:00:00


                                            `# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities  
# Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org  
# Date: 08/11/2016  
# Exploit Author: Felipe Molina (@felmoltor)  
# Vendor Homepage: www.xcloner.com  
# Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/  
# Version: 3.1.5 and lower  
# Tested on: Ubuntu 14 and PHP 5  
# Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS.  
Authenticated DoS or CMS destruction  
Summary: XClonner does not check the file path is going to unlink  
after unlinking it. Therefore, a deletion of random files on the file  
system accesible by the web process is possible. A destruction of the  
blog can be achieved with the following PoC:  
1. Authenticate to wordpress with an administrator  
2. Access to XCloner to the following URL:  
* http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php  
3. See how your wordpress stops working.  
4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files.  
Authenticated RCE  
XCloner does not filter the command line is being used to execute the  
tar of a backup.  
Random shell commands can be injected in this field.  
A file creation in the file system can be achieved with the following PoC:  
1. Authenticate to wordpress with an administrator  
2. Access to Plugins -> XCloner  
3. Navigate to Administration -> Configuration -> General  
4. In "Server Use Options" set the field "Tar path or command" with  
the following value:  
* tar -h; cp /etc/passwd ./passwd.txt ; tar -k  
5. Now go to "Actions -> Generate Backup"  
6. Find the file passwd.txt in the wordpress root folder  
7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd  
8. Looking at the code, the field to specify the mysqldump command  
"Mysqldump path or command" is also injectable, but I have not a PoC  
for it.  
Felipe Molina de la Torre (@felmoltor)